ims-volte-vowifi
/
strongswan
9
0
Fork 0
Code Pull Requests Releases Activity

- key derivation for child_sa works

This commit is contained in:
Martin Willi 2006-02-10 08:20:06 +00:00
parent 5b97779f66
commit aeda79ff78
8 changed files with 101 additions and 95 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
Source/charon/Makefile
View File

@ -18,10 +18,7 @@ MAIN_DIR= ./
LDFLAGS= -lgmp -lpthread
CFLAGS+= -Wall \
-DLEAK_DETECTIVE \
-I. \
-g #-Werror
CFLAGS+= -Wall -I. -g -DLEAK_DETECTIVE
# objects is extended by each included Makefile
OBJS=

54
Source/charon/sa/child_sa.c
View File

@ -24,6 +24,8 @@
#include <utils/allocator.h>
#include <daemon.h>
typedef struct private_child_sa_t private_child_sa_t;
@ -37,9 +39,14 @@ struct private_child_sa_t {
child_sa_t public;
/**
* Type of this child sa, ESP or AH.
* CHILD_SAs own logger
*/
protocol_id_t sa_type;
logger_t *logger;
/**
* Protocols used in this SA
*/
protocol_id_t protocols[2];
};
@ -56,22 +63,61 @@ static u_int32_t get_spi(private_child_sa_t *this)
*/
static void destroy(private_child_sa_t *this)
{
charon->logger_manager->destroy_logger(charon->logger_manager, this->logger);
allocator_free(this);
}
/*
* Described in header.
*/
child_sa_t * child_sa_create(protocol_id_t sa_type, prf_plus_t *prf_plus)
child_sa_t * child_sa_create(child_proposal_t *proposal, prf_plus_t *prf_plus)
{
private_child_sa_t *this = allocator_alloc_thing(private_child_sa_t);
u_int i;
/* public functions */
this->public.get_spi = (u_int32_t(*)(child_sa_t*))get_spi;
this->public.destroy = (void(*)(child_sa_t*))destroy;
/* private data */
this->sa_type = sa_type;
this->logger = charon->logger_manager->create_logger(charon->logger_manager, CHILD_SA, NULL);
proposal->get_protocols(proposal, this->protocols);
/* derive keys */
for (i = 0; i<2; i++)
{
if (this->protocols[i] != UNDEFINED_PROTOCOL_ID)
{
algorithm_t *algo;
chunk_t key;
/* get encryption key */
if (proposal->get_algorithm(proposal, this->protocols[i], ENCRYPTION_ALGORITHM, &algo))
{
this->logger->log(this->logger, CONTROL|LEVEL1, "%s: using %s %s, ",
mapping_find(protocol_id_m, this->protocols[i]),
mapping_find(transform_type_m, ENCRYPTION_ALGORITHM),
mapping_find(encryption_algorithm_m, algo->algorithm));
prf_plus->allocate_bytes(prf_plus, algo->key_size, &key);
this->logger->log_chunk(this->logger, PRIVATE, "key:", &key);
allocator_free_chunk(&key);
}
/* get integrity key */
if (proposal->get_algorithm(proposal, this->protocols[i], INTEGRITY_ALGORITHM, &algo))
{
this->logger->log(this->logger, CONTROL|LEVEL1, "%s: using %s %s,",
mapping_find(protocol_id_m, this->protocols[i]),
mapping_find(transform_type_m, INTEGRITY_ALGORITHM),
mapping_find(integrity_algorithm_m, algo->algorithm));
prf_plus->allocate_bytes(prf_plus, algo->key_size, &key);
this->logger->log_chunk(this->logger, PRIVATE, "key:", &key);
allocator_free_chunk(&key);
}
}
}
return (&this->public);
}

13
Source/charon/sa/child_sa.h
View File

@ -33,7 +33,6 @@ typedef struct child_sa_t child_sa_t;
/**
* @brief Represents a CHILD_SA between to hosts.
*
* An IKE_SA must already be established.
*
* @b Constructors:
* - child_sa_create
@ -68,16 +67,6 @@ struct child_sa_t {
* @return child_sa_t object
* @ingroup sa
*/
child_sa_t * child_sa_create(protocol_id_t protocol_id, prf_plus_t *prf_plus);
/**
* @brief Constructor to create a new CHILD_SA.
*
* @param protocol_id protocol id (AH or ESP) of CHILD_SA
* @param prf_plus prf_plus_t object use to derive shared secrets
* @return child_sa_t object
* @ingroup sa
*/
child_sa_t * child_sa_create_with_spi(protocol_id_t protocol_id, prf_plus_t *prf_plus);
child_sa_t * child_sa_create(child_proposal_t *proposal, prf_plus_t *prf_plus);
#endif /*_CHILD_SA_H_*/

36
Source/charon/sa/states/ike_auth_requested.c
View File

@ -33,6 +33,7 @@
#include <transforms/crypters/crypter.h>
#include <sa/states/ike_sa_established.h>
#include <sa/authenticator.h>
#include <sa/child_sa.h>
typedef struct private_ike_auth_requested_t private_ike_auth_requested_t;
@ -327,7 +328,9 @@ static status_t process_sa_payload(private_ike_auth_requested_t *this, sa_payloa
{
child_proposal_t *proposal, *proposal_tmp;
linked_list_t *proposal_list;
protocol_id_t proto;
child_sa_t *child_sa;
chunk_t seed;
prf_plus_t *prf_plus;
/* get his selected proposal */
proposal_list = sa_payload->get_child_proposals(sa_payload);
@ -366,27 +369,18 @@ static status_t process_sa_payload(private_ike_auth_requested_t *this, sa_payloa
this->logger->log(this->logger, AUDIT, "IKE_AUTH reply contained a not offered proposal. Deleting IKE_SA");
return DELETE_ME;
}
this->logger->log(this->logger, CONTROL|LEVEL1, "selected proposals:");
for (proto = AH; proto <= ESP; proto++)
{
transform_type_t types[] = {ENCRYPTION_ALGORITHM, INTEGRITY_ALGORITHM, DIFFIE_HELLMAN_GROUP, EXTENDED_SEQUENCE_NUMBERS};
mapping_t *mappings[] = {encryption_algorithm_m, integrity_algorithm_m, diffie_hellman_group_m, extended_sequence_numbers_m};
algorithm_t *algo;
int i;
for (i = 0; i<sizeof(types)/sizeof(transform_type_t); i++)
{
if (proposal->get_algorithm(proposal, proto, types[i], &algo))
{
this->logger->log(this->logger, CONTROL|LEVEL1, "%s: using %s %s (keysize: %d)",
mapping_find(protocol_id_m, proto),
mapping_find(transform_type_m, types[i]),
mapping_find(mappings[i], algo->algorithm),
algo->key_size);
}
}
}
/* install child SAs for AH and esp */
seed = allocator_alloc_as_chunk(this->sent_nonce.len + this->received_nonce.len);
memcpy(seed.ptr, this->sent_nonce.ptr, this->sent_nonce.len);
memcpy(seed.ptr + this->sent_nonce.len, this->received_nonce.ptr, this->received_nonce.len);
prf_plus = prf_plus_create(this->ike_sa->get_child_prf(this->ike_sa), seed);
allocator_free_chunk(&seed);
child_sa = child_sa_create(proposal, prf_plus);
prf_plus->destroy(prf_plus);
child_sa->destroy(child_sa);
/* TODO: Proposal? child_sa */
proposal->destroy(proposal);
return SUCCESS;

53
Source/charon/sa/states/ike_sa_init_responded.c
View File

@ -25,6 +25,7 @@
#include <daemon.h>
#include <utils/allocator.h>
#include <sa/authenticator.h>
#include <sa/child_sa.h>
#include <encoding/payloads/ts_payload.h>
#include <encoding/payloads/sa_payload.h>
#include <encoding/payloads/id_payload.h>
@ -389,7 +390,9 @@ static status_t build_sa_payload(private_ike_sa_init_responded_t *this, sa_paylo
child_proposal_t *proposal, *proposal_tmp;
linked_list_t *proposal_list;
sa_payload_t *sa_response;
protocol_id_t proto;
child_sa_t *child_sa;
prf_plus_t *prf_plus;
chunk_t seed;
/* TODO: child sa stuff */
@ -421,51 +424,23 @@ static status_t build_sa_payload(private_ike_sa_init_responded_t *this, sa_paylo
this->ike_sa->send_notify(this->ike_sa, IKE_AUTH, NO_PROPOSAL_CHOSEN, CHUNK_INITIALIZER);
return DELETE_ME;
}
for (proto = AH; proto <= ESP; proto++)
{
transform_type_t types[] = {ENCRYPTION_ALGORITHM, INTEGRITY_ALGORITHM, DIFFIE_HELLMAN_GROUP, EXTENDED_SEQUENCE_NUMBERS};
mapping_t *mappings[] = {encryption_algorithm_m, integrity_algorithm_m, diffie_hellman_group_m, extended_sequence_numbers_m};
algorithm_t *algo;
int i;
for (i = 0; i<sizeof(types)/sizeof(transform_type_t); i++)
{
if (proposal->get_algorithm(proposal, proto, types[i], &algo))
{
this->logger->log(this->logger, CONTROL|LEVEL1, "%s: using %s %s (keysize: %d)",
mapping_find(protocol_id_m, proto),
mapping_find(transform_type_m, types[i]),
mapping_find(mappings[i], algo->algorithm),
algo->key_size);
}
}
}
/* create payload with selected propsal */
sa_response = sa_payload_create_from_child_proposal(proposal);
response->add_payload(response, (payload_t*)sa_response);
proposal->destroy(proposal);
/* install child SAs for AH and esp */
// algorithm_t *encr, *integ;
// char enc_key_buffer[] = "123";
// chunk_t enc_key = {ptr: enc_key_buffer, len: 4};
// char int_key_buffer[] = "345";
// chunk_t int_key = {ptr: int_key_buffer, len: 4};
// proposal->get_algorithm(proposal, ESP, ENCRYPTION_ALGORITHM, &encr);
// proposal->get_algorithm(proposal, ESP, INTEGRITY_ALGORITHM, &integ);
//
// charon->kernel_interface->add_sa(charon->kernel_interface,
// this->ike_sa->get_my_host(this->ike_sa),
// this->ike_sa->get_other_host(this->ike_sa),
// proposal->get_spi(proposal, AH),
// AH,
// TRUE,
// encr->algorithm, encr->key_size, enc_key,
// integ->algorithm, integ->key_size, int_key,
// TRUE);
//
// POS;
seed = allocator_alloc_as_chunk(this->received_nonce.len + this->sent_nonce.len);
memcpy(seed.ptr, this->received_nonce.ptr, this->received_nonce.len);
memcpy(seed.ptr + this->received_nonce.len, this->sent_nonce.ptr, this->sent_nonce.len);
prf_plus = prf_plus_create(this->ike_sa->get_child_prf(this->ike_sa), seed);
allocator_free_chunk(&seed);
child_sa = child_sa_create(proposal, prf_plus);
prf_plus->destroy(prf_plus);
child_sa->destroy(child_sa);
proposal->destroy(proposal);
return SUCCESS;
}

25
Source/charon/utils/logger.c
View File

@ -173,12 +173,7 @@ static void logg(private_logger_t *this, logger_level_t loglevel, char *format,
static void log_bytes(private_logger_t *this, logger_level_t loglevel, char *label, char *bytes, size_t len)
{
static pthread_mutex_t mutex = PTHREAD_MUTEX_INITIALIZER;
/* since me can't do multi-line output to syslog,
* we must do multiple syslogs. To avoid
* problems in output order, lock this by a mutex.
*/
pthread_mutex_lock(&mutex);
if ((this->level & loglevel) == loglevel)
{
@ -187,6 +182,13 @@ static void log_bytes(private_logger_t *this, logger_level_t loglevel, char *lab
char *buffer_pos;
char *bytes_pos, *bytes_roof;
int i;
int line_start = 0;
/* since me can't do multi-line output to syslog,
* we must do multiple syslogs. To avoid
* problems in output order, lock this by a mutex.
*/
pthread_mutex_lock(&mutex);
format = "%s (%d bytes)";
@ -217,12 +219,13 @@ static void log_bytes(private_logger_t *this, logger_level_t loglevel, char *lab
buffer_pos = buffer;
if (this->output == NULL)
{
syslog(LOG_INFO, "| %s", buffer);
syslog(LOG_INFO, "[=>] [%5d ] %s", line_start, buffer);
}
else
{
fprintf(this->output, "| %s\n", buffer);
fprintf(this->output, "[=>] [%5d ] %s\n", line_start, buffer);
}
line_start += 16;
}
else if ((i % 8) == 0)
{
@ -249,15 +252,15 @@ static void log_bytes(private_logger_t *this, logger_level_t loglevel, char *lab
buffer_pos = buffer;
if (this->output == NULL)
{
syslog(LOG_INFO, "| %s", buffer);
syslog(LOG_INFO, "[=>] [%5d ] %s", line_start, buffer);
}
else
{
fprintf(this->output, "| %s\n", buffer);
fprintf(this->output, "[=>] [%5d ] %s\n", line_start, buffer);
}
}
pthread_mutex_unlock(&mutex);
}
pthread_mutex_unlock(&mutex);
}
/**

8
Source/charon/utils/logger_manager.c
View File

@ -35,6 +35,7 @@ mapping_t logger_context_t_mappings[] = {
{GENERATOR, "GENRAT"},
{IKE_SA, "IKE_SA"},
{IKE_SA_MANAGER, "ISAMGR"},
{CHILD_SA, "CHLDSA"},
{MESSAGE, "MESSAG"},
{THREAD_POOL, "THPOOL"},
{WORKER, "WORKER"},
@ -46,7 +47,6 @@ mapping_t logger_context_t_mappings[] = {
{DAEMON, "DAEMON"},
{CONFIGURATION_MANAGER, "CONFIG"},
{ENCRYPTION_PAYLOAD, "ENCPLD"},
{PRIME_POOL, "PRIMEP"},
{MAPPING_END, NULL},
};
@ -178,6 +178,10 @@ static logger_t *create_logger(private_logger_manager_t *this, logger_context_t
logger_level |= LEVEL1;
log_thread_ids = TRUE;
break;
case CHILD_SA:
logger_level |= LEVEL1|PRIVATE;
log_thread_ids = TRUE;
break;
case CONFIGURATION_MANAGER:
log_thread_ids = TRUE;
break;
@ -198,8 +202,6 @@ static logger_t *create_logger(private_logger_manager_t *this, logger_context_t
break;
case THREAD_POOL:
break;
case PRIME_POOL:
break;
case SCHEDULER:
logger_level = 0;
break;

2
Source/charon/utils/logger_manager.h
View File

@ -40,6 +40,7 @@ enum logger_context_t {
GENERATOR,
IKE_SA,
IKE_SA_MANAGER,
CHILD_SA,
MESSAGE,
THREAD_POOL,
WORKER,
@ -51,7 +52,6 @@ enum logger_context_t {
DAEMON,
CONFIGURATION_MANAGER,
ENCRYPTION_PAYLOAD,
PRIME_POOL,
};