diff options
| author | Martin Willi <martin@revosec.ch> | 2015-03-31 14:59:12 +0200 |
|---|---|---|
| committer | Martin Willi <martin@revosec.ch> | 2015-04-13 15:06:15 +0200 |
| commit | 3c81cb6fc3225423ce82bbd97bd6fd9b70df8cc0 (patch) | |
| tree | 73734ac0beef72de5a8ca3dff9b69c57a5e27fc1 /src | |
| parent | a4549e55250e35033cb5984d834f174eec795e9e (diff) | |
| download | strongswan-3c81cb6fc3225423ce82bbd97bd6fd9b70df8cc0.tar.bz2 strongswan-3c81cb6fc3225423ce82bbd97bd6fd9b70df8cc0.tar.xz | |
aead: Create AEAD using traditional transforms with an explicit IV generator
Real AEADs directly provide a suitable IV generator, but traditional crypters
do not. For some (stream) ciphers, we should use sequential IVs, for which
we pass an appropriate generator to the AEAD wrapper.
Diffstat (limited to 'src')
| -rw-r--r-- | src/charon-tkm/src/tkm/tkm_keymat.c | 15 | ||||
| -rw-r--r-- | src/libcharon/sa/ikev2/keymat_v2.c | 15 | ||||
| -rw-r--r-- | src/libipsec/esp_context.c | 9 | ||||
| -rw-r--r-- | src/libstrongswan/crypto/aead.c | 4 | ||||
| -rw-r--r-- | src/libstrongswan/crypto/aead.h | 3 |
5 files changed, 34 insertions, 12 deletions
diff --git a/src/charon-tkm/src/tkm/tkm_keymat.c b/src/charon-tkm/src/tkm/tkm_keymat.c index 80721fafe..1e1fa4f30 100644 --- a/src/charon-tkm/src/tkm/tkm_keymat.c +++ b/src/charon-tkm/src/tkm/tkm_keymat.c @@ -102,6 +102,7 @@ static void aead_create_from_keys(aead_t **in, aead_t **out, *in = *out = NULL; signer_t *signer_i, *signer_r; crypter_t *crypter_i, *crypter_r; + iv_gen_t *ivg_i, *ivg_r; signer_i = lib->crypto->create_signer(lib->crypto, int_alg); signer_r = lib->crypto->create_signer(lib->crypto, int_alg); @@ -145,15 +146,21 @@ static void aead_create_from_keys(aead_t **in, aead_t **out, return; } + ivg_i = iv_gen_create_for_alg(enc_alg); + ivg_r = iv_gen_create_for_alg(enc_alg); + if (!ivg_i || !ivg_r) + { + return; + } if (initiator) { - *in = aead_create(crypter_r, signer_r); - *out = aead_create(crypter_i, signer_i); + *in = aead_create(crypter_r, signer_r, ivg_r); + *out = aead_create(crypter_i, signer_i, ivg_i); } else { - *in = aead_create(crypter_i, signer_i); - *out = aead_create(crypter_r, signer_r); + *in = aead_create(crypter_i, signer_i, ivg_i); + *out = aead_create(crypter_r, signer_r, ivg_r); } } diff --git a/src/libcharon/sa/ikev2/keymat_v2.c b/src/libcharon/sa/ikev2/keymat_v2.c index f70f5cfed..6fedc8eb5 100644 --- a/src/libcharon/sa/ikev2/keymat_v2.c +++ b/src/libcharon/sa/ikev2/keymat_v2.c @@ -193,6 +193,7 @@ static bool derive_ike_traditional(private_keymat_v2_t *this, u_int16_t enc_alg, { crypter_t *crypter_i = NULL, *crypter_r = NULL; signer_t *signer_i, *signer_r; + iv_gen_t *ivg_i, *ivg_r; size_t key_size; chunk_t key = chunk_empty; @@ -264,15 +265,21 @@ static bool derive_ike_traditional(private_keymat_v2_t *this, u_int16_t enc_alg, goto failure; } + ivg_i = iv_gen_create_for_alg(enc_alg); + ivg_r = iv_gen_create_for_alg(enc_alg); + if (!ivg_i || !ivg_r) + { + goto failure; + } if (this->initiator) { - this->aead_in = aead_create(crypter_r, signer_r); - this->aead_out = aead_create(crypter_i, signer_i); + this->aead_in = aead_create(crypter_r, signer_r, ivg_r); + this->aead_out = aead_create(crypter_i, signer_i, ivg_i); } else { - this->aead_in = aead_create(crypter_i, signer_i); - this->aead_out = aead_create(crypter_r, signer_r); + this->aead_in = aead_create(crypter_i, signer_i, ivg_i); + this->aead_out = aead_create(crypter_r, signer_r, ivg_r); } signer_i = signer_r = NULL; crypter_i = crypter_r = NULL; diff --git a/src/libipsec/esp_context.c b/src/libipsec/esp_context.c index 5e58f66da..a2307e048 100644 --- a/src/libipsec/esp_context.c +++ b/src/libipsec/esp_context.c @@ -244,6 +244,7 @@ static bool create_traditional(private_esp_context_t *this, int enc_alg, { crypter_t *crypter = NULL; signer_t *signer = NULL; + iv_gen_t *ivg; crypter = lib->crypto->create_crypter(lib->crypto, enc_alg, enc_key.len); if (!crypter) @@ -272,7 +273,13 @@ static bool create_traditional(private_esp_context_t *this, int enc_alg, "failed"); goto failed; } - this->aead = aead_create(crypter, signer); + ivg = iv_gen_create_for_alg(enc_alg); + if (!ivg) + { + DBG1(DBG_ESP, "failed to create ESP context: creating iv gen failed"); + goto failed; + } + this->aead = aead_create(crypter, signer, ivg); return TRUE; failed: diff --git a/src/libstrongswan/crypto/aead.c b/src/libstrongswan/crypto/aead.c index afcc11fbe..d50bd4d22 100644 --- a/src/libstrongswan/crypto/aead.c +++ b/src/libstrongswan/crypto/aead.c @@ -172,7 +172,7 @@ METHOD(aead_t, destroy, void, /** * See header */ -aead_t *aead_create(crypter_t *crypter, signer_t *signer) +aead_t *aead_create(crypter_t *crypter, signer_t *signer, iv_gen_t *iv_gen) { private_aead_t *this; @@ -190,7 +190,7 @@ aead_t *aead_create(crypter_t *crypter, signer_t *signer) }, .crypter = crypter, .signer = signer, - .iv_gen = iv_gen_rand_create(), + .iv_gen = iv_gen, ); return &this->public; diff --git a/src/libstrongswan/crypto/aead.h b/src/libstrongswan/crypto/aead.h index 43f71b65e..9d1b8df55 100644 --- a/src/libstrongswan/crypto/aead.h +++ b/src/libstrongswan/crypto/aead.h @@ -135,8 +135,9 @@ struct aead_t { * * @param crypter encryption transform for this aead * @param signer integrity transform for this aead + * @param iv_gen suitable IV generator for encryption algorithm * @return aead transform */ -aead_t *aead_create(crypter_t *crypter, signer_t *signer); +aead_t *aead_create(crypter_t *crypter, signer_t *signer, iv_gen_t *iv_gen); #endif /** AEAD_H_ @}*/ |