- key derivation for child_sa works
This commit is contained in:
parent
5b97779f66
commit
aeda79ff78
|
@ -18,10 +18,7 @@ MAIN_DIR= ./
|
|||
|
||||
LDFLAGS= -lgmp -lpthread
|
||||
|
||||
CFLAGS+= -Wall \
|
||||
-DLEAK_DETECTIVE \
|
||||
-I. \
|
||||
-g #-Werror
|
||||
CFLAGS+= -Wall -I. -g -DLEAK_DETECTIVE
|
||||
|
||||
# objects is extended by each included Makefile
|
||||
OBJS=
|
||||
|
|
|
@ -24,6 +24,8 @@
|
|||
|
||||
|
||||
#include <utils/allocator.h>
|
||||
#include <daemon.h>
|
||||
|
||||
|
||||
typedef struct private_child_sa_t private_child_sa_t;
|
||||
|
||||
|
@ -37,9 +39,14 @@ struct private_child_sa_t {
|
|||
child_sa_t public;
|
||||
|
||||
/**
|
||||
* Type of this child sa, ESP or AH.
|
||||
* CHILD_SAs own logger
|
||||
*/
|
||||
protocol_id_t sa_type;
|
||||
logger_t *logger;
|
||||
|
||||
/**
|
||||
* Protocols used in this SA
|
||||
*/
|
||||
protocol_id_t protocols[2];
|
||||
};
|
||||
|
||||
|
||||
|
@ -56,22 +63,61 @@ static u_int32_t get_spi(private_child_sa_t *this)
|
|||
*/
|
||||
static void destroy(private_child_sa_t *this)
|
||||
{
|
||||
charon->logger_manager->destroy_logger(charon->logger_manager, this->logger);
|
||||
allocator_free(this);
|
||||
}
|
||||
|
||||
/*
|
||||
* Described in header.
|
||||
*/
|
||||
child_sa_t * child_sa_create(protocol_id_t sa_type, prf_plus_t *prf_plus)
|
||||
child_sa_t * child_sa_create(child_proposal_t *proposal, prf_plus_t *prf_plus)
|
||||
{
|
||||
private_child_sa_t *this = allocator_alloc_thing(private_child_sa_t);
|
||||
u_int i;
|
||||
|
||||
/* public functions */
|
||||
this->public.get_spi = (u_int32_t(*)(child_sa_t*))get_spi;
|
||||
this->public.destroy = (void(*)(child_sa_t*))destroy;
|
||||
|
||||
/* private data */
|
||||
this->sa_type = sa_type;
|
||||
this->logger = charon->logger_manager->create_logger(charon->logger_manager, CHILD_SA, NULL);
|
||||
proposal->get_protocols(proposal, this->protocols);
|
||||
|
||||
/* derive keys */
|
||||
for (i = 0; i<2; i++)
|
||||
{
|
||||
if (this->protocols[i] != UNDEFINED_PROTOCOL_ID)
|
||||
{
|
||||
algorithm_t *algo;
|
||||
chunk_t key;
|
||||
|
||||
/* get encryption key */
|
||||
if (proposal->get_algorithm(proposal, this->protocols[i], ENCRYPTION_ALGORITHM, &algo))
|
||||
{
|
||||
this->logger->log(this->logger, CONTROL|LEVEL1, "%s: using %s %s, ",
|
||||
mapping_find(protocol_id_m, this->protocols[i]),
|
||||
mapping_find(transform_type_m, ENCRYPTION_ALGORITHM),
|
||||
mapping_find(encryption_algorithm_m, algo->algorithm));
|
||||
|
||||
prf_plus->allocate_bytes(prf_plus, algo->key_size, &key);
|
||||
this->logger->log_chunk(this->logger, PRIVATE, "key:", &key);
|
||||
allocator_free_chunk(&key);
|
||||
}
|
||||
|
||||
/* get integrity key */
|
||||
if (proposal->get_algorithm(proposal, this->protocols[i], INTEGRITY_ALGORITHM, &algo))
|
||||
{
|
||||
this->logger->log(this->logger, CONTROL|LEVEL1, "%s: using %s %s,",
|
||||
mapping_find(protocol_id_m, this->protocols[i]),
|
||||
mapping_find(transform_type_m, INTEGRITY_ALGORITHM),
|
||||
mapping_find(integrity_algorithm_m, algo->algorithm));
|
||||
|
||||
prf_plus->allocate_bytes(prf_plus, algo->key_size, &key);
|
||||
this->logger->log_chunk(this->logger, PRIVATE, "key:", &key);
|
||||
allocator_free_chunk(&key);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
return (&this->public);
|
||||
}
|
||||
|
|
|
@ -33,7 +33,6 @@ typedef struct child_sa_t child_sa_t;
|
|||
/**
|
||||
* @brief Represents a CHILD_SA between to hosts.
|
||||
*
|
||||
* An IKE_SA must already be established.
|
||||
*
|
||||
* @b Constructors:
|
||||
* - child_sa_create
|
||||
|
@ -68,16 +67,6 @@ struct child_sa_t {
|
|||
* @return child_sa_t object
|
||||
* @ingroup sa
|
||||
*/
|
||||
child_sa_t * child_sa_create(protocol_id_t protocol_id, prf_plus_t *prf_plus);
|
||||
|
||||
/**
|
||||
* @brief Constructor to create a new CHILD_SA.
|
||||
*
|
||||
* @param protocol_id protocol id (AH or ESP) of CHILD_SA
|
||||
* @param prf_plus prf_plus_t object use to derive shared secrets
|
||||
* @return child_sa_t object
|
||||
* @ingroup sa
|
||||
*/
|
||||
child_sa_t * child_sa_create_with_spi(protocol_id_t protocol_id, prf_plus_t *prf_plus);
|
||||
child_sa_t * child_sa_create(child_proposal_t *proposal, prf_plus_t *prf_plus);
|
||||
|
||||
#endif /*_CHILD_SA_H_*/
|
||||
|
|
|
@ -33,6 +33,7 @@
|
|||
#include <transforms/crypters/crypter.h>
|
||||
#include <sa/states/ike_sa_established.h>
|
||||
#include <sa/authenticator.h>
|
||||
#include <sa/child_sa.h>
|
||||
|
||||
typedef struct private_ike_auth_requested_t private_ike_auth_requested_t;
|
||||
|
||||
|
@ -327,7 +328,9 @@ static status_t process_sa_payload(private_ike_auth_requested_t *this, sa_payloa
|
|||
{
|
||||
child_proposal_t *proposal, *proposal_tmp;
|
||||
linked_list_t *proposal_list;
|
||||
protocol_id_t proto;
|
||||
child_sa_t *child_sa;
|
||||
chunk_t seed;
|
||||
prf_plus_t *prf_plus;
|
||||
|
||||
/* get his selected proposal */
|
||||
proposal_list = sa_payload->get_child_proposals(sa_payload);
|
||||
|
@ -366,27 +369,18 @@ static status_t process_sa_payload(private_ike_auth_requested_t *this, sa_payloa
|
|||
this->logger->log(this->logger, AUDIT, "IKE_AUTH reply contained a not offered proposal. Deleting IKE_SA");
|
||||
return DELETE_ME;
|
||||
}
|
||||
this->logger->log(this->logger, CONTROL|LEVEL1, "selected proposals:");
|
||||
for (proto = AH; proto <= ESP; proto++)
|
||||
{
|
||||
transform_type_t types[] = {ENCRYPTION_ALGORITHM, INTEGRITY_ALGORITHM, DIFFIE_HELLMAN_GROUP, EXTENDED_SEQUENCE_NUMBERS};
|
||||
mapping_t *mappings[] = {encryption_algorithm_m, integrity_algorithm_m, diffie_hellman_group_m, extended_sequence_numbers_m};
|
||||
algorithm_t *algo;
|
||||
int i;
|
||||
for (i = 0; i<sizeof(types)/sizeof(transform_type_t); i++)
|
||||
{
|
||||
if (proposal->get_algorithm(proposal, proto, types[i], &algo))
|
||||
{
|
||||
this->logger->log(this->logger, CONTROL|LEVEL1, "%s: using %s %s (keysize: %d)",
|
||||
mapping_find(protocol_id_m, proto),
|
||||
mapping_find(transform_type_m, types[i]),
|
||||
mapping_find(mappings[i], algo->algorithm),
|
||||
algo->key_size);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
/* install child SAs for AH and esp */
|
||||
seed = allocator_alloc_as_chunk(this->sent_nonce.len + this->received_nonce.len);
|
||||
memcpy(seed.ptr, this->sent_nonce.ptr, this->sent_nonce.len);
|
||||
memcpy(seed.ptr + this->sent_nonce.len, this->received_nonce.ptr, this->received_nonce.len);
|
||||
prf_plus = prf_plus_create(this->ike_sa->get_child_prf(this->ike_sa), seed);
|
||||
allocator_free_chunk(&seed);
|
||||
|
||||
child_sa = child_sa_create(proposal, prf_plus);
|
||||
prf_plus->destroy(prf_plus);
|
||||
child_sa->destroy(child_sa);
|
||||
|
||||
/* TODO: Proposal? child_sa */
|
||||
proposal->destroy(proposal);
|
||||
|
||||
return SUCCESS;
|
||||
|
|
|
@ -25,6 +25,7 @@
|
|||
#include <daemon.h>
|
||||
#include <utils/allocator.h>
|
||||
#include <sa/authenticator.h>
|
||||
#include <sa/child_sa.h>
|
||||
#include <encoding/payloads/ts_payload.h>
|
||||
#include <encoding/payloads/sa_payload.h>
|
||||
#include <encoding/payloads/id_payload.h>
|
||||
|
@ -389,7 +390,9 @@ static status_t build_sa_payload(private_ike_sa_init_responded_t *this, sa_paylo
|
|||
child_proposal_t *proposal, *proposal_tmp;
|
||||
linked_list_t *proposal_list;
|
||||
sa_payload_t *sa_response;
|
||||
protocol_id_t proto;
|
||||
child_sa_t *child_sa;
|
||||
prf_plus_t *prf_plus;
|
||||
chunk_t seed;
|
||||
|
||||
/* TODO: child sa stuff */
|
||||
|
||||
|
@ -421,51 +424,23 @@ static status_t build_sa_payload(private_ike_sa_init_responded_t *this, sa_paylo
|
|||
this->ike_sa->send_notify(this->ike_sa, IKE_AUTH, NO_PROPOSAL_CHOSEN, CHUNK_INITIALIZER);
|
||||
return DELETE_ME;
|
||||
}
|
||||
for (proto = AH; proto <= ESP; proto++)
|
||||
{
|
||||
transform_type_t types[] = {ENCRYPTION_ALGORITHM, INTEGRITY_ALGORITHM, DIFFIE_HELLMAN_GROUP, EXTENDED_SEQUENCE_NUMBERS};
|
||||
mapping_t *mappings[] = {encryption_algorithm_m, integrity_algorithm_m, diffie_hellman_group_m, extended_sequence_numbers_m};
|
||||
algorithm_t *algo;
|
||||
int i;
|
||||
for (i = 0; i<sizeof(types)/sizeof(transform_type_t); i++)
|
||||
{
|
||||
if (proposal->get_algorithm(proposal, proto, types[i], &algo))
|
||||
{
|
||||
this->logger->log(this->logger, CONTROL|LEVEL1, "%s: using %s %s (keysize: %d)",
|
||||
mapping_find(protocol_id_m, proto),
|
||||
mapping_find(transform_type_m, types[i]),
|
||||
mapping_find(mappings[i], algo->algorithm),
|
||||
algo->key_size);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
/* create payload with selected propsal */
|
||||
sa_response = sa_payload_create_from_child_proposal(proposal);
|
||||
response->add_payload(response, (payload_t*)sa_response);
|
||||
proposal->destroy(proposal);
|
||||
|
||||
/* install child SAs for AH and esp */
|
||||
// algorithm_t *encr, *integ;
|
||||
// char enc_key_buffer[] = "123";
|
||||
// chunk_t enc_key = {ptr: enc_key_buffer, len: 4};
|
||||
// char int_key_buffer[] = "345";
|
||||
// chunk_t int_key = {ptr: int_key_buffer, len: 4};
|
||||
// proposal->get_algorithm(proposal, ESP, ENCRYPTION_ALGORITHM, &encr);
|
||||
// proposal->get_algorithm(proposal, ESP, INTEGRITY_ALGORITHM, &integ);
|
||||
//
|
||||
// charon->kernel_interface->add_sa(charon->kernel_interface,
|
||||
// this->ike_sa->get_my_host(this->ike_sa),
|
||||
// this->ike_sa->get_other_host(this->ike_sa),
|
||||
// proposal->get_spi(proposal, AH),
|
||||
// AH,
|
||||
// TRUE,
|
||||
// encr->algorithm, encr->key_size, enc_key,
|
||||
// integ->algorithm, integ->key_size, int_key,
|
||||
// TRUE);
|
||||
//
|
||||
// POS;
|
||||
seed = allocator_alloc_as_chunk(this->received_nonce.len + this->sent_nonce.len);
|
||||
memcpy(seed.ptr, this->received_nonce.ptr, this->received_nonce.len);
|
||||
memcpy(seed.ptr + this->received_nonce.len, this->sent_nonce.ptr, this->sent_nonce.len);
|
||||
prf_plus = prf_plus_create(this->ike_sa->get_child_prf(this->ike_sa), seed);
|
||||
allocator_free_chunk(&seed);
|
||||
|
||||
child_sa = child_sa_create(proposal, prf_plus);
|
||||
prf_plus->destroy(prf_plus);
|
||||
child_sa->destroy(child_sa);
|
||||
|
||||
proposal->destroy(proposal);
|
||||
return SUCCESS;
|
||||
}
|
||||
|
||||
|
|
|
@ -173,12 +173,7 @@ static void logg(private_logger_t *this, logger_level_t loglevel, char *format,
|
|||
static void log_bytes(private_logger_t *this, logger_level_t loglevel, char *label, char *bytes, size_t len)
|
||||
{
|
||||
static pthread_mutex_t mutex = PTHREAD_MUTEX_INITIALIZER;
|
||||
|
||||
/* since me can't do multi-line output to syslog,
|
||||
* we must do multiple syslogs. To avoid
|
||||
* problems in output order, lock this by a mutex.
|
||||
*/
|
||||
pthread_mutex_lock(&mutex);
|
||||
|
||||
|
||||
if ((this->level & loglevel) == loglevel)
|
||||
{
|
||||
|
@ -187,6 +182,13 @@ static void log_bytes(private_logger_t *this, logger_level_t loglevel, char *lab
|
|||
char *buffer_pos;
|
||||
char *bytes_pos, *bytes_roof;
|
||||
int i;
|
||||
int line_start = 0;
|
||||
|
||||
/* since me can't do multi-line output to syslog,
|
||||
* we must do multiple syslogs. To avoid
|
||||
* problems in output order, lock this by a mutex.
|
||||
*/
|
||||
pthread_mutex_lock(&mutex);
|
||||
|
||||
|
||||
format = "%s (%d bytes)";
|
||||
|
@ -217,12 +219,13 @@ static void log_bytes(private_logger_t *this, logger_level_t loglevel, char *lab
|
|||
buffer_pos = buffer;
|
||||
if (this->output == NULL)
|
||||
{
|
||||
syslog(LOG_INFO, "| %s", buffer);
|
||||
syslog(LOG_INFO, "[=>] [%5d ] %s", line_start, buffer);
|
||||
}
|
||||
else
|
||||
{
|
||||
fprintf(this->output, "| %s\n", buffer);
|
||||
fprintf(this->output, "[=>] [%5d ] %s\n", line_start, buffer);
|
||||
}
|
||||
line_start += 16;
|
||||
}
|
||||
else if ((i % 8) == 0)
|
||||
{
|
||||
|
@ -249,15 +252,15 @@ static void log_bytes(private_logger_t *this, logger_level_t loglevel, char *lab
|
|||
buffer_pos = buffer;
|
||||
if (this->output == NULL)
|
||||
{
|
||||
syslog(LOG_INFO, "| %s", buffer);
|
||||
syslog(LOG_INFO, "[=>] [%5d ] %s", line_start, buffer);
|
||||
}
|
||||
else
|
||||
{
|
||||
fprintf(this->output, "| %s\n", buffer);
|
||||
fprintf(this->output, "[=>] [%5d ] %s\n", line_start, buffer);
|
||||
}
|
||||
}
|
||||
pthread_mutex_unlock(&mutex);
|
||||
}
|
||||
pthread_mutex_unlock(&mutex);
|
||||
}
|
||||
|
||||
/**
|
||||
|
|
|
@ -35,6 +35,7 @@ mapping_t logger_context_t_mappings[] = {
|
|||
{GENERATOR, "GENRAT"},
|
||||
{IKE_SA, "IKE_SA"},
|
||||
{IKE_SA_MANAGER, "ISAMGR"},
|
||||
{CHILD_SA, "CHLDSA"},
|
||||
{MESSAGE, "MESSAG"},
|
||||
{THREAD_POOL, "THPOOL"},
|
||||
{WORKER, "WORKER"},
|
||||
|
@ -46,7 +47,6 @@ mapping_t logger_context_t_mappings[] = {
|
|||
{DAEMON, "DAEMON"},
|
||||
{CONFIGURATION_MANAGER, "CONFIG"},
|
||||
{ENCRYPTION_PAYLOAD, "ENCPLD"},
|
||||
{PRIME_POOL, "PRIMEP"},
|
||||
{MAPPING_END, NULL},
|
||||
};
|
||||
|
||||
|
@ -178,6 +178,10 @@ static logger_t *create_logger(private_logger_manager_t *this, logger_context_t
|
|||
logger_level |= LEVEL1;
|
||||
log_thread_ids = TRUE;
|
||||
break;
|
||||
case CHILD_SA:
|
||||
logger_level |= LEVEL1|PRIVATE;
|
||||
log_thread_ids = TRUE;
|
||||
break;
|
||||
case CONFIGURATION_MANAGER:
|
||||
log_thread_ids = TRUE;
|
||||
break;
|
||||
|
@ -198,8 +202,6 @@ static logger_t *create_logger(private_logger_manager_t *this, logger_context_t
|
|||
break;
|
||||
case THREAD_POOL:
|
||||
break;
|
||||
case PRIME_POOL:
|
||||
break;
|
||||
case SCHEDULER:
|
||||
logger_level = 0;
|
||||
break;
|
||||
|
|
|
@ -40,6 +40,7 @@ enum logger_context_t {
|
|||
GENERATOR,
|
||||
IKE_SA,
|
||||
IKE_SA_MANAGER,
|
||||
CHILD_SA,
|
||||
MESSAGE,
|
||||
THREAD_POOL,
|
||||
WORKER,
|
||||
|
@ -51,7 +52,6 @@ enum logger_context_t {
|
|||
DAEMON,
|
||||
CONFIGURATION_MANAGER,
|
||||
ENCRYPTION_PAYLOAD,
|
||||
PRIME_POOL,
|
||||
};
|
||||
|
||||
|
||||
|
|
Loading…
Reference in New Issue