diff options
| -rw-r--r-- | src/conftest/hooks/pretend_auth.c | 5 | ||||
| -rw-r--r-- | src/conftest/hooks/rebuild_auth.c | 5 | ||||
| -rw-r--r-- | src/libcharon/sa/authenticators/eap_authenticator.c | 11 | ||||
| -rw-r--r-- | src/libcharon/sa/authenticators/psk_authenticator.c | 9 | ||||
| -rw-r--r-- | src/libcharon/sa/authenticators/pubkey_authenticator.c | 9 | ||||
| -rw-r--r-- | src/libcharon/sa/keymat.h | 89 | ||||
| -rw-r--r-- | src/libcharon/sa/keymat_v1.c | 19 | ||||
| -rw-r--r-- | src/libcharon/sa/keymat_v2.c | 22 | ||||
| -rw-r--r-- | src/libcharon/sa/keymat_v2.h | 88 | ||||
| -rw-r--r-- | src/libcharon/sa/tasks/child_create.c | 11 | ||||
| -rw-r--r-- | src/libcharon/sa/tasks/ike_init.c | 21 |
11 files changed, 142 insertions, 147 deletions
diff --git a/src/conftest/hooks/pretend_auth.c b/src/conftest/hooks/pretend_auth.c index ff99900f2..f91b6bf9b 100644 --- a/src/conftest/hooks/pretend_auth.c +++ b/src/conftest/hooks/pretend_auth.c @@ -15,6 +15,7 @@ #include "hook.h" +#include <sa/keymat_v2.h> #include <encoding/payloads/nonce_payload.h> #include <encoding/payloads/cert_payload.h> #include <encoding/payloads/auth_payload.h> @@ -190,7 +191,7 @@ static bool build_auth(private_pretend_auth_t *this, auth_payload_t *auth_payload; auth_method_t auth_method; signature_scheme_t scheme; - keymat_t *keymat; + keymat_v2_t *keymat; auth = auth_cfg_create(); private = lib->credmgr->get_private(lib->credmgr, KEY_ANY, this->id, auth); @@ -235,7 +236,7 @@ static bool build_auth(private_pretend_auth_t *this, key_type_names, private->get_type(private)); return FALSE; } - keymat = ike_sa->get_keymat(ike_sa); + keymat = (keymat_v2_t*)ike_sa->get_keymat(ike_sa); octets = keymat->get_auth_octets(keymat, TRUE, this->ike_init, this->nonce, this->id, this->reserved); if (!private->sign(private, scheme, octets, &auth_data)) diff --git a/src/conftest/hooks/rebuild_auth.c b/src/conftest/hooks/rebuild_auth.c index 993c952e0..cf9b113cc 100644 --- a/src/conftest/hooks/rebuild_auth.c +++ b/src/conftest/hooks/rebuild_auth.c @@ -15,6 +15,7 @@ #include "hook.h" +#include <sa/keymat_v2.h> #include <encoding/generator.h> #include <encoding/payloads/nonce_payload.h> #include <encoding/payloads/auth_payload.h> @@ -62,7 +63,7 @@ static bool rebuild_auth(private_rebuild_auth_t *this, ike_sa_t *ike_sa, auth_payload_t *auth_payload; auth_method_t auth_method; signature_scheme_t scheme; - keymat_t *keymat; + keymat_v2_t *keymat; identification_t *id; char reserved[3]; generator_t *generator; @@ -137,7 +138,7 @@ static bool rebuild_auth(private_rebuild_auth_t *this, ike_sa_t *ike_sa, id->destroy(id); return FALSE; } - keymat = ike_sa->get_keymat(ike_sa); + keymat = (keymat_v2_t*)ike_sa->get_keymat(ike_sa); octets = keymat->get_auth_octets(keymat, FALSE, this->ike_init, this->nonce, id, reserved); if (!private->sign(private, scheme, octets, &auth_data)) diff --git a/src/libcharon/sa/authenticators/eap_authenticator.c b/src/libcharon/sa/authenticators/eap_authenticator.c index c85a45fb3..d36d544e8 100644 --- a/src/libcharon/sa/authenticators/eap_authenticator.c +++ b/src/libcharon/sa/authenticators/eap_authenticator.c @@ -16,6 +16,7 @@ #include "eap_authenticator.h" #include <daemon.h> +#include <sa/keymat_v2.h> #include <sa/authenticators/eap/eap_method.h> #include <encoding/payloads/auth_payload.h> #include <encoding/payloads/eap_payload.h> @@ -376,7 +377,7 @@ static eap_payload_t* client_process_eap(private_eap_authenticator_t *this, if (vendor) { DBG1(DBG_IKE, "server requested vendor specific EAP method %d-%d ", - "(id 0x%02X)", type, vendor, in->get_identifier(in)); + "(id 0x%02X)", type, vendor, in->get_identifier(in)); } else { @@ -419,7 +420,7 @@ static bool verify_auth(private_eap_authenticator_t *this, message_t *message, chunk_t auth_data, recv_auth_data; identification_t *other_id; auth_cfg_t *auth; - keymat_t *keymat; + keymat_v2_t *keymat; auth_payload = (auth_payload_t*)message->get_payload(message, AUTHENTICATION); @@ -429,7 +430,7 @@ static bool verify_auth(private_eap_authenticator_t *this, message_t *message, return FALSE; } other_id = this->ike_sa->get_other_id(this->ike_sa); - keymat = this->ike_sa->get_keymat(this->ike_sa); + keymat = (keymat_v2_t*)this->ike_sa->get_keymat(this->ike_sa); auth_data = keymat->get_psk_sig(keymat, TRUE, init, nonce, this->msk, other_id, this->reserved); recv_auth_data = auth_payload->get_data(auth_payload); @@ -459,10 +460,10 @@ static void build_auth(private_eap_authenticator_t *this, message_t *message, auth_payload_t *auth_payload; identification_t *my_id; chunk_t auth_data; - keymat_t *keymat; + keymat_v2_t *keymat; my_id = this->ike_sa->get_my_id(this->ike_sa); - keymat = this->ike_sa->get_keymat(this->ike_sa); + keymat = (keymat_v2_t*)this->ike_sa->get_keymat(this->ike_sa); DBG1(DBG_IKE, "authentication of '%Y' (myself) with %N", my_id, auth_class_names, AUTH_CLASS_EAP); diff --git a/src/libcharon/sa/authenticators/psk_authenticator.c b/src/libcharon/sa/authenticators/psk_authenticator.c index 21fc0f9b8..26c722530 100644 --- a/src/libcharon/sa/authenticators/psk_authenticator.c +++ b/src/libcharon/sa/authenticators/psk_authenticator.c @@ -18,6 +18,7 @@ #include <daemon.h> #include <encoding/payloads/auth_payload.h> +#include <sa/keymat_v2.h> typedef struct private_psk_authenticator_t private_psk_authenticator_t; @@ -59,9 +60,9 @@ METHOD(authenticator_t, build, status_t, auth_payload_t *auth_payload; shared_key_t *key; chunk_t auth_data; - keymat_t *keymat; + keymat_v2_t *keymat; - keymat = this->ike_sa->get_keymat(this->ike_sa); + keymat = (keymat_v2_t*)this->ike_sa->get_keymat(this->ike_sa); my_id = this->ike_sa->get_my_id(this->ike_sa); other_id = this->ike_sa->get_other_id(this->ike_sa); DBG1(DBG_IKE, "authentication of '%Y' (myself) with %N", @@ -96,14 +97,14 @@ METHOD(authenticator_t, process, status_t, enumerator_t *enumerator; bool authenticated = FALSE; int keys_found = 0; - keymat_t *keymat; + keymat_v2_t *keymat; auth_payload = (auth_payload_t*)message->get_payload(message, AUTHENTICATION); if (!auth_payload) { return FAILED; } - keymat = this->ike_sa->get_keymat(this->ike_sa); + keymat = (keymat_v2_t*)this->ike_sa->get_keymat(this->ike_sa); recv_auth_data = auth_payload->get_data(auth_payload); my_id = this->ike_sa->get_my_id(this->ike_sa); other_id = this->ike_sa->get_other_id(this->ike_sa); diff --git a/src/libcharon/sa/authenticators/pubkey_authenticator.c b/src/libcharon/sa/authenticators/pubkey_authenticator.c index 247891670..df5b06ae6 100644 --- a/src/libcharon/sa/authenticators/pubkey_authenticator.c +++ b/src/libcharon/sa/authenticators/pubkey_authenticator.c @@ -19,6 +19,7 @@ #include <daemon.h> #include <encoding/payloads/auth_payload.h> +#include <sa/keymat_v2.h> typedef struct private_pubkey_authenticator_t private_pubkey_authenticator_t; @@ -64,7 +65,7 @@ METHOD(authenticator_t, build, status_t, auth_payload_t *auth_payload; auth_method_t auth_method; signature_scheme_t scheme; - keymat_t *keymat; + keymat_v2_t *keymat; id = this->ike_sa->get_my_id(this->ike_sa); auth = this->ike_sa->get_auth_cfg(this->ike_sa, TRUE); @@ -110,7 +111,7 @@ METHOD(authenticator_t, build, status_t, key_type_names, private->get_type(private)); return status; } - keymat = this->ike_sa->get_keymat(this->ike_sa); + keymat = (keymat_v2_t*)this->ike_sa->get_keymat(this->ike_sa); octets = keymat->get_auth_octets(keymat, FALSE, this->ike_sa_init, this->nonce, id, this->reserved); if (private->sign(private, scheme, octets, &auth_data)) @@ -144,7 +145,7 @@ METHOD(authenticator_t, process, status_t, key_type_t key_type = KEY_ECDSA; signature_scheme_t scheme; status_t status = NOT_FOUND; - keymat_t *keymat; + keymat_v2_t *keymat; auth_payload = (auth_payload_t*)message->get_payload(message, AUTHENTICATION); if (!auth_payload) @@ -174,7 +175,7 @@ METHOD(authenticator_t, process, status_t, } auth_data = auth_payload->get_data(auth_payload); id = this->ike_sa->get_other_id(this->ike_sa); - keymat = this->ike_sa->get_keymat(this->ike_sa); + keymat = (keymat_v2_t*)this->ike_sa->get_keymat(this->ike_sa); octets = keymat->get_auth_octets(keymat, TRUE, this->ike_sa_init, this->nonce, id, this->reserved); auth = this->ike_sa->get_auth_cfg(this->ike_sa, FALSE); diff --git a/src/libcharon/sa/keymat.h b/src/libcharon/sa/keymat.h index 7867898c1..5860044b6 100644 --- a/src/libcharon/sa/keymat.h +++ b/src/libcharon/sa/keymat.h @@ -46,58 +46,8 @@ struct keymat_t { * @param group diffie hellman group * @return DH object, NULL if group not supported */ - diffie_hellman_t* (*create_dh)(keymat_t *this, diffie_hellman_group_t group); - - /** - * Derive keys for the IKE_SA. - * - * These keys are not handed out, but are used by the associated signers, - * crypters and authentication functions. - * - * @param proposal selected algorithms - * @param dh diffie hellman key allocated by create_dh() - * @param nonce_i initiators nonce value - * @param nonce_r responders nonce value - * @param id IKE_SA identifier - * @param rekey_prf PRF of old SA if rekeying, PRF_UNDEFINED otherwise - * @param rekey_sdk SKd of old SA if rekeying - * @return TRUE on success - */ - bool (*derive_ike_keys)(keymat_t *this, proposal_t *proposal, - diffie_hellman_t *dh, chunk_t nonce_i, - chunk_t nonce_r, ike_sa_id_t *id, - pseudo_random_function_t rekey_function, - chunk_t rekey_skd); - /** - * Derive keys for a CHILD_SA. - * - * The keys for the CHILD_SA are allocated in the integ and encr chunks. - * An implementation might hand out encrypted keys only, which are - * decrypted in the kernel before use. - * If no PFS is used for the CHILD_SA, dh can be NULL. - * - * @param proposal selected algorithms - * @param dh diffie hellman key allocated by create_dh(), or NULL - * @param nonce_i initiators nonce value - * @param nonce_r responders nonce value - * @param encr_i chunk to write initiators encryption key to - * @param integ_i chunk to write initiators integrity key to - * @param encr_r chunk to write responders encryption key to - * @param integ_r chunk to write responders integrity key to - * @return TRUE on success - */ - bool (*derive_child_keys)(keymat_t *this, - proposal_t *proposal, diffie_hellman_t *dh, - chunk_t nonce_i, chunk_t nonce_r, - chunk_t *encr_i, chunk_t *integ_i, - chunk_t *encr_r, chunk_t *integ_r); - /** - * Get SKd to pass to derive_ikey_keys() during rekeying. - * - * @param skd chunk to write SKd to (internal data) - * @return PRF function to derive keymat - */ - pseudo_random_function_t (*get_skd)(keymat_t *this, chunk_t *skd); + diffie_hellman_t* (*create_dh)(keymat_t *this, + diffie_hellman_group_t group); /* * Get a AEAD transform to en-/decrypt and sign/verify IKE messages. @@ -108,41 +58,6 @@ struct keymat_t { aead_t* (*get_aead)(keymat_t *this, bool in); /** - * Generate octets to use for authentication procedure (RFC4306 2.15). - * - * This method creates the plain octets and is usually signed by a private - * key. PSK and EAP authentication include a secret into the data, use - * the get_psk_sig() method instead. - * - * @param verify TRUE to create for verfification, FALSE to sign - * @param ike_sa_init encoded ike_sa_init message - * @param nonce nonce value - * @param id identity - * @param reserved reserved bytes of id_payload - * @return authentication octets - */ - chunk_t (*get_auth_octets)(keymat_t *this, bool verify, chunk_t ike_sa_init, - chunk_t nonce, identification_t *id, - char reserved[3]); - /** - * Build the shared secret signature used for PSK and EAP authentication. - * - * This method wraps the get_auth_octets() method and additionally - * includes the secret into the signature. If no secret is given, SK_p is - * used as secret (used for EAP methods without MSK). - * - * @param verify TRUE to create for verfification, FALSE to sign - * @param ike_sa_init encoded ike_sa_init message - * @param nonce nonce value - * @param secret optional secret to include into signature - * @param id identity - * @param reserved reserved bytes of id_payload - * @return signature octets - */ - chunk_t (*get_psk_sig)(keymat_t *this, bool verify, chunk_t ike_sa_init, - chunk_t nonce, chunk_t secret, - identification_t *id, char reserved[3]); - /** * Destroy a keymat_t. */ void (*destroy)(keymat_t *this); diff --git a/src/libcharon/sa/keymat_v1.c b/src/libcharon/sa/keymat_v1.c index f73366d43..e4f58a499 100644 --- a/src/libcharon/sa/keymat_v1.c +++ b/src/libcharon/sa/keymat_v1.c @@ -81,20 +81,6 @@ METHOD(keymat_t, get_aead, aead_t*, return NULL; } -METHOD(keymat_t, get_auth_octets, chunk_t, - private_keymat_v1_t *this, bool verify, chunk_t ike_sa_init, - chunk_t nonce, identification_t *id, char reserved[3]) -{ - return chunk_empty; -} - -METHOD(keymat_t, get_psk_sig, chunk_t, - private_keymat_v1_t *this, bool verify, chunk_t ike_sa_init, - chunk_t nonce, chunk_t secret, identification_t *id, char reserved[3]) -{ - return chunk_empty; -} - METHOD(keymat_t, destroy, void, private_keymat_v1_t *this) { @@ -113,12 +99,7 @@ keymat_v1_t *keymat_v1_create(bool initiator) .public = { .keymat = { .create_dh = _create_dh, - .derive_ike_keys = _derive_ike_keys, - .derive_child_keys = _derive_child_keys, - .get_skd = _get_skd, .get_aead = _get_aead, - .get_auth_octets = _get_auth_octets, - .get_psk_sig = _get_psk_sig, .destroy = _destroy, }, }, diff --git a/src/libcharon/sa/keymat_v2.c b/src/libcharon/sa/keymat_v2.c index 562a72f14..9fd17328f 100644 --- a/src/libcharon/sa/keymat_v2.c +++ b/src/libcharon/sa/keymat_v2.c @@ -127,7 +127,7 @@ static int lookup_keylen(keylen_entry_t *list, int algo) METHOD(keymat_t, create_dh, diffie_hellman_t*, private_keymat_v2_t *this, diffie_hellman_group_t group) { - return lib->crypto->create_dh(lib->crypto, group);; + return lib->crypto->create_dh(lib->crypto, group); } /** @@ -244,7 +244,7 @@ static bool derive_ike_traditional(private_keymat_v2_t *this, u_int16_t enc_alg, return TRUE; } -METHOD(keymat_t, derive_ike_keys, bool, +METHOD(keymat_v2_t, derive_ike_keys, bool, private_keymat_v2_t *this, proposal_t *proposal, diffie_hellman_t *dh, chunk_t nonce_i, chunk_t nonce_r, ike_sa_id_t *id, pseudo_random_function_t rekey_function, chunk_t rekey_skd) @@ -420,7 +420,7 @@ METHOD(keymat_t, derive_ike_keys, bool, return TRUE; } -METHOD(keymat_t, derive_child_keys, bool, +METHOD(keymat_v2_t, derive_child_keys, bool, private_keymat_v2_t *this, proposal_t *proposal, diffie_hellman_t *dh, chunk_t nonce_i, chunk_t nonce_r, chunk_t *encr_i, chunk_t *integ_i, chunk_t *encr_r, chunk_t *integ_r) @@ -525,7 +525,7 @@ METHOD(keymat_t, derive_child_keys, bool, return TRUE; } -METHOD(keymat_t, get_skd, pseudo_random_function_t, +METHOD(keymat_v2_t, get_skd, pseudo_random_function_t, private_keymat_v2_t *this, chunk_t *skd) { *skd = this->skd; @@ -538,7 +538,7 @@ METHOD(keymat_t, get_aead, aead_t*, return in ? this->aead_in : this->aead_out; } -METHOD(keymat_t, get_auth_octets, chunk_t, +METHOD(keymat_v2_t, get_auth_octets, chunk_t, private_keymat_v2_t *this, bool verify, chunk_t ike_sa_init, chunk_t nonce, identification_t *id, char reserved[3]) { @@ -568,7 +568,7 @@ METHOD(keymat_t, get_auth_octets, chunk_t, #define IKEV2_KEY_PAD "Key Pad for IKEv2" #define IKEV2_KEY_PAD_LENGTH 17 -METHOD(keymat_t, get_psk_sig, chunk_t, +METHOD(keymat_v2_t, get_psk_sig, chunk_t, private_keymat_v2_t *this, bool verify, chunk_t ike_sa_init, chunk_t nonce, chunk_t secret, identification_t *id, char reserved[3]) { @@ -617,14 +617,14 @@ keymat_v2_t *keymat_v2_create(bool initiator) .public = { .keymat = { .create_dh = _create_dh, - .derive_ike_keys = _derive_ike_keys, - .derive_child_keys = _derive_child_keys, - .get_skd = _get_skd, .get_aead = _get_aead, - .get_auth_octets = _get_auth_octets, - .get_psk_sig = _get_psk_sig, .destroy = _destroy, }, + .derive_ike_keys = _derive_ike_keys, + .derive_child_keys = _derive_child_keys, + .get_skd = _get_skd, + .get_auth_octets = _get_auth_octets, + .get_psk_sig = _get_psk_sig, }, .initiator = initiator, .prf_alg = PRF_UNDEFINED, diff --git a/src/libcharon/sa/keymat_v2.h b/src/libcharon/sa/keymat_v2.h index 6026a0296..b33e71344 100644 --- a/src/libcharon/sa/keymat_v2.h +++ b/src/libcharon/sa/keymat_v2.h @@ -34,6 +34,94 @@ struct keymat_v2_t { * Implements keymat_t. */ keymat_t keymat; + + /** + * Derive keys for the IKE_SA. + * + * These keys are not handed out, but are used by the associated signers, + * crypters and authentication functions. + * + * @param proposal selected algorithms + * @param dh diffie hellman key allocated by create_dh() + * @param nonce_i initiators nonce value + * @param nonce_r responders nonce value + * @param id IKE_SA identifier + * @param rekey_prf PRF of old SA if rekeying, PRF_UNDEFINED otherwise + * @param rekey_sdk SKd of old SA if rekeying + * @return TRUE on success + */ + bool (*derive_ike_keys)(keymat_v2_t *this, proposal_t *proposal, + diffie_hellman_t *dh, chunk_t nonce_i, + chunk_t nonce_r, ike_sa_id_t *id, + pseudo_random_function_t rekey_function, + chunk_t rekey_skd); + + /** + * Derive keys for a CHILD_SA. + * + * The keys for the CHILD_SA are allocated in the integ and encr chunks. + * An implementation might hand out encrypted keys only, which are + * decrypted in the kernel before use. + * If no PFS is used for the CHILD_SA, dh can be NULL. + * + * @param proposal selected algorithms + * @param dh diffie hellman key allocated by create_dh(), or NULL + * @param nonce_i initiators nonce value + * @param nonce_r responders nonce value + * @param encr_i chunk to write initiators encryption key to + * @param integ_i chunk to write initiators integrity key to + * @param encr_r chunk to write responders encryption key to + * @param integ_r chunk to write responders integrity key to + * @return TRUE on success + */ + bool (*derive_child_keys)(keymat_v2_t *this, + proposal_t *proposal, diffie_hellman_t *dh, + chunk_t nonce_i, chunk_t nonce_r, + chunk_t *encr_i, chunk_t *integ_i, + chunk_t *encr_r, chunk_t *integ_r); + /** + * Get SKd to pass to derive_ikey_keys() during rekeying. + * + * @param skd chunk to write SKd to (internal data) + * @return PRF function to derive keymat + */ + pseudo_random_function_t (*get_skd)(keymat_v2_t *this, chunk_t *skd); + + /** + * Generate octets to use for authentication procedure (RFC4306 2.15). + * + * This method creates the plain octets and is usually signed by a private + * key. PSK and EAP authentication include a secret into the data, use + * the get_psk_sig() method instead. + * + * @param verify TRUE to create for verfification, FALSE to sign + * @param ike_sa_init encoded ike_sa_init message + * @param nonce nonce value + * @param id identity + * @param reserved reserved bytes of id_payload + * @return authentication octets + */ + chunk_t (*get_auth_octets)(keymat_v2_t *this, bool verify, + chunk_t ike_sa_init, chunk_t nonce, + identification_t *id, char reserved[3]); + /** + * Build the shared secret signature used for PSK and EAP authentication. + * + * This method wraps the get_auth_octets() method and additionally + * includes the secret into the signature. If no secret is given, SK_p is + * used as secret (used for EAP methods without MSK). + * + * @param verify TRUE to create for verfification, FALSE to sign + * @param ike_sa_init encoded ike_sa_init message + * @param nonce nonce value + * @param secret optional secret to include into signature + * @param id identity + * @param reserved reserved bytes of id_payload + * @return signature octets + */ + chunk_t (*get_psk_sig)(keymat_v2_t *this, bool verify, chunk_t ike_sa_init, + chunk_t nonce, chunk_t secret, + identification_t *id, char reserved[3]); }; /** diff --git a/src/libcharon/sa/tasks/child_create.c b/src/libcharon/sa/tasks/child_create.c index 7a89e6f62..b0d50efa6 100644 --- a/src/libcharon/sa/tasks/child_create.c +++ b/src/libcharon/sa/tasks/child_create.c @@ -18,6 +18,7 @@ #include "child_create.h" #include <daemon.h> +#include <sa/keymat_v2.h> #include <crypto/diffie_hellman.h> #include <credentials/certificates/x509.h> #include <encoding/payloads/sa_payload.h> @@ -109,7 +110,7 @@ struct private_child_create_t { /** * IKE_SAs keymat */ - keymat_t *keymat; + keymat_v2_t *keymat; /** * mode the new CHILD_SA uses (transport/tunnel/beet) @@ -683,7 +684,8 @@ static void process_payloads(private_child_create_t *this, message_t *message) if (!this->initiator) { this->dh_group = ke_payload->get_dh_group_number(ke_payload); - this->dh = this->keymat->create_dh(this->keymat, this->dh_group); + this->dh = this->keymat->keymat.create_dh( + &this->keymat->keymat, this->dh_group); } if (this->dh) { @@ -815,7 +817,8 @@ METHOD(task_t, build_i, status_t, if (this->dh_group != MODP_NONE) { - this->dh = this->keymat->create_dh(this->keymat, this->dh_group); + this->dh = this->keymat->keymat.create_dh(&this->keymat->keymat, + this->dh_group); } if (this->config->use_ipcomp(this->config)) @@ -1307,7 +1310,7 @@ child_create_t *child_create_create(ike_sa_t *ike_sa, .packet_tsi = tsi ? tsi->clone(tsi) : NULL, .packet_tsr = tsr ? tsr->clone(tsr) : NULL, .dh_group = MODP_NONE, - .keymat = ike_sa->get_keymat(ike_sa), + .keymat = (keymat_v2_t*)ike_sa->get_keymat(ike_sa), .mode = MODE_TUNNEL, .tfcv3 = TRUE, .ipcomp = IPCOMP_NONE, diff --git a/src/libcharon/sa/tasks/ike_init.c b/src/libcharon/sa/tasks/ike_init.c index 390756706..868680bb6 100644 --- a/src/libcharon/sa/tasks/ike_init.c +++ b/src/libcharon/sa/tasks/ike_init.c @@ -20,6 +20,7 @@ #include <string.h> #include <daemon.h> +#include <sa/keymat_v2.h> #include <crypto/diffie_hellman.h> #include <encoding/payloads/sa_payload.h> #include <encoding/payloads/ke_payload.h> @@ -68,7 +69,7 @@ struct private_ike_init_t { /** * Keymat derivation (from IKE_SA) */ - keymat_t *keymat; + keymat_v2_t *keymat; /** * nonce chosen by us @@ -199,8 +200,8 @@ static void process_payloads(private_ike_init_t *this, message_t *message) this->dh_group = ke_payload->get_dh_group_number(ke_payload); if (!this->initiator) { - this->dh = this->keymat->create_dh(this->keymat, - this->dh_group); + this->dh = this->keymat->keymat.create_dh( + &this->keymat->keymat, this->dh_group); } if (this->dh) { @@ -245,7 +246,8 @@ METHOD(task_t, build_i, status_t, if (!this->dh) { this->dh_group = this->config->get_dh_group(this->config); - this->dh = this->keymat->create_dh(this->keymat, this->dh_group); + this->dh = this->keymat->keymat.create_dh(&this->keymat->keymat, + this->dh_group); if (!this->dh) { DBG1(DBG_IKE, "configured DH group %N not supported", @@ -329,7 +331,7 @@ METHOD(task_t, process_r, status_t, static bool derive_keys(private_ike_init_t *this, chunk_t nonce_i, chunk_t nonce_r) { - keymat_t *old_keymat; + keymat_v2_t *old_keymat; pseudo_random_function_t prf_alg = PRF_UNDEFINED; chunk_t skd = chunk_empty; ike_sa_id_t *id; @@ -338,7 +340,7 @@ static bool derive_keys(private_ike_init_t *this, if (this->old_sa) { /* rekeying: Include old SKd, use old PRF, apply SPI */ - old_keymat = this->old_sa->get_keymat(this->old_sa); + old_keymat = (keymat_v2_t*)this->old_sa->get_keymat(this->old_sa); prf_alg = old_keymat->get_skd(old_keymat, &skd); if (this->initiator) { @@ -517,10 +519,11 @@ METHOD(task_t, migrate, void, chunk_free(&this->other_nonce); this->ike_sa = ike_sa; - this->keymat = ike_sa->get_keymat(ike_sa); + this->keymat = (keymat_v2_t*)ike_sa->get_keymat(ike_sa); this->proposal = NULL; DESTROY_IF(this->dh); - this->dh = this->keymat->create_dh(this->keymat, this->dh_group); + this->dh = this->keymat->keymat.create_dh(&this->keymat->keymat, + this->dh_group); } METHOD(task_t, destroy, void, @@ -567,7 +570,7 @@ ike_init_t *ike_init_create(ike_sa_t *ike_sa, bool initiator, ike_sa_t *old_sa) .ike_sa = ike_sa, .initiator = initiator, .dh_group = MODP_NONE, - .keymat = ike_sa->get_keymat(ike_sa), + .keymat = (keymat_v2_t*)ike_sa->get_keymat(ike_sa), .old_sa = old_sa, ); |