aboutsummaryrefslogtreecommitdiffstats
path: root/src
diff options
context:
space:
mode:
authorReto Buerki <reet@codelabs.ch>2012-08-29 09:44:17 +0200
committerTobias Brunner <tobias@strongswan.org>2013-03-19 15:23:46 +0100
commit3290b9995c2de88979bb6a4dd1fc8b743f2080eb (patch)
tree597702b551aacee77b4b66b4181ee28f261795d8 /src
parent4c38878db529442d4a3b86f716687a365157d7f7 (diff)
downloadstrongswan-3290b9995c2de88979bb6a4dd1fc8b743f2080eb.tar.bz2
strongswan-3290b9995c2de88979bb6a4dd1fc8b743f2080eb.tar.xz
keymat: Create inbound and outbound AEAD transforms
Create and initialize AEAD transforms with keys derived by the TKM. Return these transforms in the get_aead function. IKE keys used by charon are derived by TKM now.
Diffstat (limited to 'src')
-rw-r--r--src/charon-tkm/src/tkm/tkm_keymat.c88
1 files changed, 85 insertions, 3 deletions
diff --git a/src/charon-tkm/src/tkm/tkm_keymat.c b/src/charon-tkm/src/tkm/tkm_keymat.c
index 43c180b8a..ab78994ec 100644
--- a/src/charon-tkm/src/tkm/tkm_keymat.c
+++ b/src/charon-tkm/src/tkm/tkm_keymat.c
@@ -42,10 +42,20 @@ struct private_tkm_keymat_t {
keymat_v2_t *proxy;
/**
- * IKE_SA Role, initiator or responder
+ * IKE_SA Role, initiator or responder.
*/
bool initiator;
+ /**
+ * Inbound AEAD.
+ */
+ aead_t *aead_in;
+
+ /**
+ * Outbound AEAD.
+ */
+ aead_t *aead_out;
+
};
METHOD(keymat_t, get_version, ike_version_t,
@@ -135,6 +145,76 @@ METHOD(tkm_keymat_t, derive_ike_keys, bool,
return FALSE;
}
+ /* Initialize AEAD with crypters and signers */
+ signer_t * const signer_i = lib->crypto->create_signer(lib->crypto, int_alg);
+ signer_t * const signer_r = lib->crypto->create_signer(lib->crypto, int_alg);
+ if (signer_i == NULL || signer_r == NULL)
+ {
+ DBG1(DBG_IKE, "%N %N not supported!",
+ transform_type_names, INTEGRITY_ALGORITHM,
+ integrity_algorithm_names, int_alg);
+ return FALSE;
+ }
+ crypter_t * const crypter_i = lib->crypto->create_crypter(lib->crypto,
+ enc_alg, key_size / 8);
+ crypter_t * const crypter_r = lib->crypto->create_crypter(lib->crypto,
+ enc_alg, key_size / 8);
+ if (crypter_i == NULL || crypter_r == NULL)
+ {
+ signer_i->destroy(signer_i);
+ signer_r->destroy(signer_r);
+ DBG1(DBG_IKE, "%N %N (key size %d) not supported!",
+ transform_type_names, ENCRYPTION_ALGORITHM,
+ encryption_algorithm_names, enc_alg, key_size);
+ return FALSE;
+ }
+
+ chunk_t key;
+ sequence_to_chunk(sk_ai.data, sk_ai.size, &key);
+ DBG4(DBG_IKE, "Sk_ai %B", &key);
+ if (!signer_i->set_key(signer_i, key))
+ {
+ return FALSE;
+ }
+ chunk_clear(&key);
+
+ sequence_to_chunk(sk_ar.data, sk_ar.size, &key);
+ DBG4(DBG_IKE, "Sk_ar %B", &key);
+ if (!signer_r->set_key(signer_r, key))
+ {
+ return FALSE;
+ }
+ chunk_clear(&key);
+
+ sequence_to_chunk(sk_ei.data, sk_ei.size, &key);
+ DBG4(DBG_IKE, "Sk_ei %B", &key);
+ if (!crypter_i->set_key(crypter_i, key))
+ {
+ return FALSE;
+ }
+ chunk_clear(&key);
+
+ sequence_to_chunk(sk_er.data, sk_er.size, &key);
+ DBG4(DBG_IKE, "Sk_er %B", &key);
+ if (!crypter_r->set_key(crypter_r, key))
+ {
+ return FALSE;
+ }
+ chunk_clear(&key);
+
+ if (this->initiator)
+ {
+ this->aead_in = aead_create(crypter_r, signer_r);
+ this->aead_out = aead_create(crypter_i, signer_i);
+ }
+ else
+ {
+ this->aead_in = aead_create(crypter_i, signer_i);
+ this->aead_out = aead_create(crypter_r, signer_r);
+ }
+
+ /* TODO: Add failure handler (see keymat_v2.c) */
+
if (this->proxy->derive_ike_keys(this->proxy, proposal, dh, nonce_i,
nonce_r, id, rekey_function, rekey_skd))
{
@@ -163,8 +243,7 @@ METHOD(tkm_keymat_t, derive_child_keys, bool,
METHOD(keymat_t, get_aead, aead_t*,
private_tkm_keymat_t *this, bool in)
{
- DBG1(DBG_IKE, "returning aead transform");
- return this->proxy->keymat.get_aead(&this->proxy->keymat, in);
+ return in ? this->aead_in : this->aead_out;
}
METHOD(tkm_keymat_t, get_auth_octets, bool,
@@ -195,6 +274,9 @@ METHOD(tkm_keymat_t, get_psk_sig, bool,
METHOD(keymat_t, destroy, void,
private_tkm_keymat_t *this)
{
+ DESTROY_IF(this->aead_in);
+ DESTROY_IF(this->aead_out);
+ this->proxy->keymat.destroy(&this->proxy->keymat);
free(this);
}