diff options
Diffstat (limited to 'Source/charon/sa')
| -rw-r--r-- | Source/charon/sa/ike_sa.c | 201 | ||||
| -rw-r--r-- | Source/charon/sa/ike_sa.h | 11 | ||||
| -rw-r--r-- | Source/charon/sa/states/ike_sa_init_requested.c | 51 | ||||
| -rw-r--r-- | Source/charon/sa/states/responder_init.c | 29 |
4 files changed, 243 insertions, 49 deletions
diff --git a/Source/charon/sa/ike_sa.c b/Source/charon/sa/ike_sa.c index 79620f29c..914da1e74 100644 --- a/Source/charon/sa/ike_sa.c +++ b/Source/charon/sa/ike_sa.c @@ -32,6 +32,7 @@ #include <utils/randomizer.h> #include <transforms/diffie_hellman.h> #include <transforms/prf_plus.h> +#include <transforms/crypters/crypter.h> #include <encoding/payloads/sa_payload.h> #include <encoding/payloads/nonce_payload.h> #include <encoding/payloads/ke_payload.h> @@ -348,6 +349,9 @@ static ike_sa_id_t* get_id(private_ike_sa_t *this) return this->ike_sa_id; } +/** + * @brief implements function protected_ike_sa_t.compute_secrets + */ static status_t compute_secrets (private_ike_sa_t *this,chunk_t dh_shared_secret,chunk_t initiator_nonce, chunk_t responder_nonce) { chunk_t concatenated_nonces; @@ -357,8 +361,8 @@ static status_t compute_secrets (private_ike_sa_t *this,chunk_t dh_shared_secret u_int64_t initiator_spi; u_int64_t responder_spi; prf_plus_t *prf_plus; - chunk_t secrets_raw; - + + /* * TODO check length for specific prf's */ @@ -398,6 +402,7 @@ static status_t compute_secrets (private_ike_sa_t *this,chunk_t dh_shared_secret return FAILED; } + /* first is initiator */ memcpy(prf_plus_seed.ptr,initiator_nonce.ptr,initiator_nonce.len); /* second is responder */ @@ -409,8 +414,8 @@ static status_t compute_secrets (private_ike_sa_t *this,chunk_t dh_shared_secret responder_spi = this->ike_sa_id->get_responder_spi(this->ike_sa_id); memcpy(prf_plus_seed.ptr + initiator_nonce.len + responder_nonce.len + 8,&responder_spi,8); - this->logger->log_chunk(this->logger, PRIVATE, "Keyseed", &skeyseed); - this->logger->log_chunk(this->logger, PRIVATE, "PRF+ Seed", &prf_plus_seed); + this->logger->log_chunk(this->logger, PRIVATE | MORE, "Keyseed", &skeyseed); + this->logger->log_chunk(this->logger, PRIVATE | MORE, "PRF+ Seed", &prf_plus_seed); this->logger->log(this->logger, CONTROL | MOST, "Set new key of prf object"); status = this->prf->set_key(this->prf,skeyseed); @@ -431,11 +436,85 @@ static status_t compute_secrets (private_ike_sa_t *this,chunk_t dh_shared_secret return FAILED; } - prf_plus->allocate_bytes(prf_plus,100,&secrets_raw); - - this->logger->log_chunk(this->logger, PRIVATE, "Secrets", &secrets_raw); + status = prf_plus->allocate_bytes(prf_plus,this->prf->get_block_size(this->prf),&(this->secrets.d_key)); + if (status != SUCCESS) + { + this->logger->log(this->logger, ERROR | MORE, "Could not allocate bytes from prf+ for Sk_d"); + return status; + } + this->logger->log_chunk(this->logger, PRIVATE, "Sk_d secret", &(this->secrets.d_key)); + + status = prf_plus->allocate_bytes(prf_plus,this->crypter_initiator->get_block_size(this->crypter_initiator),&(this->secrets.ei_key)); + if (status != SUCCESS) + { + this->logger->log(this->logger, ERROR | MORE, "Could not allocate bytes from prf+ for Sk_ei"); + return status; + } + this->logger->log_chunk(this->logger, PRIVATE, "Sk_ei secret", &(this->secrets.ei_key)); + status = this->crypter_initiator->set_key(this->crypter_initiator,this->secrets.ei_key); + if (status != SUCCESS) + { + this->logger->log(this->logger, ERROR | MORE, "Could not set encryption key initiator crypter"); + return status; + } + + status = prf_plus->allocate_bytes(prf_plus,this->crypter_responder->get_block_size(this->crypter_responder),&(this->secrets.er_key)); + if (status != SUCCESS) + { + this->logger->log(this->logger, ERROR | MORE, "Could not allocate bytes from prf+ for Sk_er"); + return status; + } + this->logger->log_chunk(this->logger, PRIVATE, "Sk_er secret", &(this->secrets.er_key)); + status = this->crypter_responder->set_key(this->crypter_responder,this->secrets.er_key); + if (status != SUCCESS) + { + this->logger->log(this->logger, ERROR | MORE, "Could not set encryption key responder crypter"); + return status; + } + + status = prf_plus->allocate_bytes(prf_plus,this->signer_initiator->get_block_size(this->signer_initiator),&(this->secrets.ai_key)); + if (status != SUCCESS) + { + this->logger->log(this->logger, ERROR | MORE, "Could not allocate bytes from prf+ for Sk_ai"); + return status; + } + this->logger->log_chunk(this->logger, PRIVATE, "Sk_ai secret", &(this->secrets.ai_key)); + status = this->signer_initiator->set_key(this->signer_initiator,this->secrets.ai_key); + if (status != SUCCESS) + { + this->logger->log(this->logger, ERROR | MORE, "Could not set key for initiator signer"); + return status; + } + + status = prf_plus->allocate_bytes(prf_plus,this->signer_responder->get_block_size(this->signer_responder),&(this->secrets.ar_key)); + if (status != SUCCESS) + { + this->logger->log(this->logger, ERROR | MORE, "Could not allocate bytes from prf+ for Sk_ar"); + return status; + } + this->logger->log_chunk(this->logger, PRIVATE, "Sk_ar secret", &(this->secrets.ar_key)); + status = this->signer_responder->set_key(this->signer_responder,this->secrets.ar_key); + if (status != SUCCESS) + { + this->logger->log(this->logger, ERROR | MORE, "Could not set key for responder signer"); + return status; + } + + status = prf_plus->allocate_bytes(prf_plus,this->crypter_responder->get_block_size(this->crypter_responder),&(this->secrets.pi_key)); + if (status != SUCCESS) + { + this->logger->log(this->logger, ERROR | MORE, "Could not allocate bytes from prf+ for Sk_pi"); + return status; + } + this->logger->log_chunk(this->logger, PRIVATE, "Sk_pi secret", &(this->secrets.pi_key)); - allocator_free_chunk(&secrets_raw); + status = prf_plus->allocate_bytes(prf_plus,this->crypter_responder->get_block_size(this->crypter_responder),&(this->secrets.pr_key)); + if (status != SUCCESS) + { + this->logger->log(this->logger, ERROR | MORE, "Could not allocate bytes from prf+ for Sk_pr"); + return status; + } + this->logger->log_chunk(this->logger, PRIVATE, "Sk_pr secret", &(this->secrets.pr_key)); prf_plus->destroy(prf_plus); @@ -496,6 +575,7 @@ status_t create_delete_job (private_ike_sa_t *this) */ static void set_new_state (private_ike_sa_t *this, state_t *state) { + this->logger->log(this->logger, ERROR, "Change current state %s to %s",mapping_find(ike_sa_state_m,this->current_state->get_state(this->current_state)),mapping_find(ike_sa_state_m,state->get_state(state))); this->current_state = state; } @@ -530,6 +610,7 @@ static void set_my_host (private_ike_sa_t *this, host_t *my_host) { if (this->me.host != NULL) { + this ->logger->log(this->logger, CONTROL|MOST, "Destroy existing my host object"); this->me.host->destroy(this->me.host); } this->me.host = my_host; @@ -542,6 +623,7 @@ static void set_other_host (private_ike_sa_t *this, host_t *other_host) { if (this->other.host != NULL) { + this ->logger->log(this->logger, CONTROL|MOST, "Destroy existing other host object"); this->other.host->destroy(this->other.host); } this->other.host = other_host; @@ -550,13 +632,110 @@ static void set_other_host (private_ike_sa_t *this, host_t *other_host) /** * Implementation of protected_ike_sa_t.set_prf. */ -static void set_prf (private_ike_sa_t *this,prf_t *prf) +static status_t create_transforms_from_proposal (private_ike_sa_t *this,proposal_substructure_t *proposal) { + status_t status; + u_int16_t encryption_algorithm; + u_int16_t encryption_algorithm_key_length; + u_int16_t integrity_algorithm; + u_int16_t integrity_algorithm_key_length; + u_int16_t pseudo_random_function; + u_int16_t pseudo_random_function_key_length; + + this ->logger->log(this->logger, CONTROL|MORE, "Going to create transform objects for proposal"); + + this ->logger->log(this->logger, CONTROL|MOST, "Get encryption transform type"); + status = proposal->get_info_for_transform_type(proposal,ENCRYPTION_ALGORITHM,&(encryption_algorithm),&(encryption_algorithm_key_length)); + if (status != SUCCESS) + { + this ->logger->log(this->logger, ERROR|MORE, "Could not get encryption transform type"); + return status; + } + this ->logger->log(this->logger, CONTROL|MORE, "Encryption algorithm: %s with keylength %d",mapping_find(encryption_algorithm_m,encryption_algorithm),encryption_algorithm_key_length); + + this ->logger->log(this->logger, CONTROL|MOST, "Get integrity transform type"); + status = proposal->get_info_for_transform_type(proposal,INTEGRITY_ALGORITHM,&(integrity_algorithm),&(integrity_algorithm_key_length)); + if (status != SUCCESS) + { + this ->logger->log(this->logger, ERROR|MORE, "Could not get integrity transform type"); + return status; + } + this ->logger->log(this->logger, CONTROL|MORE, "integrity algorithm: %s with keylength %d",mapping_find(integrity_algorithm_m,integrity_algorithm),integrity_algorithm_key_length); + + this ->logger->log(this->logger, CONTROL|MOST, "Get prf transform type"); + status = proposal->get_info_for_transform_type(proposal,PSEUDO_RANDOM_FUNCTION,&(pseudo_random_function),&(pseudo_random_function_key_length)); + if (status != SUCCESS) + { + this ->logger->log(this->logger, ERROR|MORE, "Could not prf transform type"); + return status; + } + this ->logger->log(this->logger, CONTROL|MORE, "prf: %s with keylength %d",mapping_find(pseudo_random_function_m,pseudo_random_function),pseudo_random_function_key_length); + + + + if (this->prf != NULL) { + this ->logger->log(this->logger, CONTROL|MOST, "Destroy existing prf_t object"); this->prf->destroy(this->prf); } - this->prf = prf; + this->prf = prf_create(pseudo_random_function); + if (this->prf == NULL) + { + this ->logger->log(this->logger, ERROR|MORE, "prf does not seem to be supported!"); + return FAILED; + } + + if (this->crypter_initiator != NULL) + { + this ->logger->log(this->logger, CONTROL|MOST, "Destroy existing initiator crypter_t object"); + this->crypter_initiator->destroy(this->crypter_initiator); + } + this->crypter_initiator = crypter_create(encryption_algorithm,encryption_algorithm_key_length); + if (this->crypter_initiator == NULL) + { + this ->logger->log(this->logger, ERROR|MORE, "encryption algorithm does not seem to be supported!"); + return FAILED; + } + + if (this->crypter_responder != NULL) + { + this ->logger->log(this->logger, CONTROL|MOST, "Destroy existing responder crypter_t object"); + this->crypter_responder->destroy(this->crypter_responder); + } + this->crypter_responder = crypter_create(encryption_algorithm,encryption_algorithm_key_length); + if (this->crypter_responder == NULL) + { + this ->logger->log(this->logger, ERROR|MORE, "encryption algorithm does not seem to be supported!"); + return FAILED; + } + + if (this->signer_initiator != NULL) + { + this ->logger->log(this->logger, CONTROL|MOST, "Destroy existing initiator signer_t object"); + this->signer_initiator->destroy(this->signer_initiator); + } + this->signer_initiator = signer_create(integrity_algorithm); + if (this->signer_initiator == NULL) + { + this ->logger->log(this->logger, ERROR|MORE, "integrity algorithm does not seem to be supported!"); + return FAILED; + } + + + if (this->signer_responder != NULL) + { + this ->logger->log(this->logger, CONTROL|MOST, "Destroy existing responder signer_t object"); + this->signer_responder->destroy(this->signer_responder); + } + this->signer_responder = signer_create(integrity_algorithm); + if (this->signer_responder == NULL) + { + this ->logger->log(this->logger, ERROR|MORE, "integrity algorithm does not seem to be supported!"); + return FAILED; + } + + return SUCCESS; } /** @@ -775,7 +954,7 @@ ike_sa_t * ike_sa_create(ike_sa_id_t *ike_sa_id) this->protected.get_randomizer = (randomizer_t *(*) (protected_ike_sa_t *)) get_randomizer; this->protected.set_last_requested_message = (status_t (*) (protected_ike_sa_t *,message_t *)) set_last_requested_message; this->protected.set_last_responded_message = (status_t (*) (protected_ike_sa_t *,message_t *)) set_last_responded_message; - this->protected.set_prf = (void (*) (protected_ike_sa_t *,prf_t *)) set_prf; + this->protected.create_transforms_from_proposal = (status_t (*) (protected_ike_sa_t *,proposal_substructure_t *)) create_transforms_from_proposal; this->protected.set_new_state = (void (*) (protected_ike_sa_t *,state_t *)) set_new_state; /* private functions */ diff --git a/Source/charon/sa/ike_sa.h b/Source/charon/sa/ike_sa.h index aa6c0d50f..8ea445b4e 100644 --- a/Source/charon/sa/ike_sa.h +++ b/Source/charon/sa/ike_sa.h @@ -26,6 +26,7 @@ #include <types.h> #include <encoding/message.h> +#include <encoding/payloads/proposal_substructure.h> #include <sa/ike_sa_id.h> #include <utils/logger.h> #include <utils/randomizer.h> @@ -171,14 +172,16 @@ struct protected_ike_sa_t { void (*set_other_host) (protected_ike_sa_t *this,host_t *other_host); /** - * Sets the internal stored prf_t object. + * Creates all needed transform objects for given ike_sa_t using + * the informations stored in a proposal_substructure_t object * - * Allready existing object gets destroyed. object gets not cloned! + * Allready existing objects get destroyed. * * @param this calling object - * @param prf pointer to the new prf_t object + * @param proposal proposal used to get informations for transform + * objects (algorithms, key lengths, etc.) */ - void (*set_prf) (protected_ike_sa_t *this,prf_t *prf); + status_t (*create_transforms_from_proposal) (protected_ike_sa_t *this,proposal_substructure_t *proposal); /** * Sets the last requested message. diff --git a/Source/charon/sa/states/ike_sa_init_requested.c b/Source/charon/sa/states/ike_sa_init_requested.c index 510697720..fd8032695 100644 --- a/Source/charon/sa/states/ike_sa_init_requested.c +++ b/Source/charon/sa/states/ike_sa_init_requested.c @@ -136,12 +136,10 @@ static status_t process_message(private_ike_sa_init_requested_t *this, message_t { case SECURITY_ASSOCIATION: { - sa_payload_t *sa_payload = (sa_payload_t*)payload; - iterator_t *suggested_proposals; - encryption_algorithm_t encryption_algorithm = ENCR_UNDEFINED; - pseudo_random_function_t pseudo_random_function = PRF_UNDEFINED; - integrity_algorithm_t integrity_algorithm = AUTH_UNDEFINED; - prf_t *prf; + sa_payload_t *sa_payload = (sa_payload_t*)payload; + iterator_t *suggested_proposals; + proposal_substructure_t *suggested_proposal; + bool valid; /* get the list of suggested proposals */ @@ -153,27 +151,46 @@ static status_t process_message(private_ike_sa_init_requested_t *this, message_t return status; } - /* now let the configuration-manager return the transforms for the given proposal*/ - this->logger->log(this->logger, CONTROL | MOST, "Get transforms for suggested proposal"); - status = global_configuration_manager->get_transforms_for_host_and_proposals(global_configuration_manager, - this->ike_sa->get_other_host(this->ike_sa), suggested_proposals, &encryption_algorithm,&pseudo_random_function,&integrity_algorithm); + /* now let the configuration-manager check the selected proposals*/ + this->logger->log(this->logger, CONTROL | MOST, "Check suggested proposals"); + status = global_configuration_manager->check_selected_proposals_for_host(global_configuration_manager, + this->ike_sa->get_other_host(this->ike_sa), suggested_proposals,&valid); if (status != SUCCESS) { - this->logger->log(this->logger, ERROR | MORE, "Suggested proposals not supported!"); + this->logger->log(this->logger, ERROR | MORE, "Could not check suggested proposals!"); suggested_proposals->destroy(suggested_proposals); payloads->destroy(payloads); return status; } + + if (!valid) + { + this->logger->log(this->logger, ERROR | MORE, "Suggested proposals not accepted!"); + payloads->destroy(payloads); + return status; + } + + + /* let the ike_sa create their own transforms from proposal informations */ + suggested_proposals->reset(suggested_proposals); + /* TODO check for true*/ + suggested_proposals->has_next(suggested_proposals); + status = suggested_proposals->current(suggested_proposals,(void **)&suggested_proposal); suggested_proposals->destroy(suggested_proposals); - - prf = prf_create(pseudo_random_function); - if (prf == NULL) + if (status != SUCCESS) + { + this->logger->log(this->logger, ERROR | MORE, "Could not get first proposal"); + payloads->destroy(payloads); + return status; + } + + status = this->ike_sa->create_transforms_from_proposal(this->ike_sa,suggested_proposal); + if (status != SUCCESS) { - this->logger->log(this->logger, ERROR | MORE, "PRF type not supported"); + this->logger->log(this->logger, ERROR | MORE, "Transform objects could not be created from selected proposal"); payloads->destroy(payloads); - return FAILED; + return status; } - this->ike_sa->set_prf(this->ike_sa,prf); /* ok, we have what we need for sa_payload */ diff --git a/Source/charon/sa/states/responder_init.c b/Source/charon/sa/states/responder_init.c index 9c6067faa..8a8e0c6fc 100644 --- a/Source/charon/sa/states/responder_init.c +++ b/Source/charon/sa/states/responder_init.c @@ -223,10 +223,7 @@ static status_t process_message(private_responder_init_t *this, message_t *messa { sa_payload_t *sa_payload = (sa_payload_t*)payload; iterator_t *suggested_proposals, *accepted_proposals; - encryption_algorithm_t encryption_algorithm = ENCR_UNDEFINED; - pseudo_random_function_t pseudo_random_function = PRF_UNDEFINED; - integrity_algorithm_t integrity_algorithm = AUTH_UNDEFINED; - prf_t *prf; + proposal_substructure_t *accepted_proposal; status = this->proposals->create_iterator(this->proposals, &accepted_proposals, FALSE); if (status != SUCCESS) @@ -260,12 +257,13 @@ static status_t process_message(private_responder_init_t *this, message_t *messa /* iterators are not needed anymore */ suggested_proposals->destroy(suggested_proposals); - - /* now let the configuration-manager return the transforms for the given proposal*/ - this->logger->log(this->logger, CONTROL | MOST, "Get transforms for accepted proposal"); - status = global_configuration_manager->get_transforms_for_host_and_proposals(global_configuration_manager, - this->ike_sa->get_other_host(this->ike_sa), accepted_proposals, &encryption_algorithm,&pseudo_random_function,&integrity_algorithm); + + /* let the ike_sa create their own transforms from proposal informations */ + accepted_proposals->reset(accepted_proposals); + /* TODO check for true*/ + accepted_proposals->has_next(accepted_proposals); + status = accepted_proposals->current(accepted_proposals,(void **)&accepted_proposal); if (status != SUCCESS) { this->logger->log(this->logger, ERROR | MORE, "Accepted proposals not supported?!"); @@ -273,16 +271,15 @@ static status_t process_message(private_responder_init_t *this, message_t *messa payloads->destroy(payloads); return status; } - accepted_proposals->destroy(accepted_proposals); - prf = prf_create(pseudo_random_function); - if (prf == NULL) + status = this->ike_sa->create_transforms_from_proposal(this->ike_sa,accepted_proposal); + accepted_proposals->destroy(accepted_proposals); + if (status != SUCCESS) { - this->logger->log(this->logger, ERROR | MORE, "PRF type not supported"); + this->logger->log(this->logger, ERROR | MORE, "Transform objects could not be created from selected proposal"); payloads->destroy(payloads); - return FAILED; + return status; } - this->ike_sa->set_prf(this->ike_sa,prf); this->logger->log(this->logger, CONTROL | MORE, "SA Payload processed"); /* ok, we have what we need for sa_payload (proposals are stored in this->proposals)*/ @@ -397,8 +394,6 @@ static status_t process_message(private_responder_init_t *this, message_t *messa this->logger->log(this->logger, ERROR | MORE, "Secrets could not be computed!"); return status; } - - /* set up the reply */ status = this->ike_sa->build_message(this->ike_sa, IKE_SA_INIT, FALSE, &response); |