ims-volte-vowifi
/
strongswan
9
0
Fork 0
Code Pull Requests Releases Activity

- added compution of all needed keys and also creation of needed 

transform objects
This commit is contained in:
Jan Hutter 2005-11-28 15:20:51 +00:00
parent 61068e9152
commit b9d9f18874
13 changed files with 390 additions and 158 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

97
Source/charon/config/configuration_manager.c
View File

@ -237,7 +237,7 @@ static status_t get_proposals_for_host(private_configuration_manager_t *this, ho
proposal->destroy(proposal);
return OUT_OF_RES;
}
transform->set_transform_type(transform, INTEGRITIY_ALGORITHM);
transform->set_transform_type(transform, INTEGRITY_ALGORITHM);
transform->set_transform_id(transform, AUTH_HMAC_MD5_96);
attribute = transform_attribute_create();
@ -320,102 +320,17 @@ static status_t select_proposals_for_host(private_configuration_manager_t *this,
}
/**
* Implements function configuration_manager_t.get_transforms_for_host_and_proposals.
* Implements function configuration_manager_t.check_selected_proposals_for_host.
*/
static status_t get_transforms_for_host_and_proposals (private_configuration_manager_t *this, host_t *host, iterator_t *proposals,encryption_algorithm_t *encryption_algorithm,pseudo_random_function_t *pseudo_random_function, integrity_algorithm_t *integrity_algorithm)
static status_t check_selected_proposals_for_host (private_configuration_manager_t *this, host_t *host, iterator_t *proposals,bool *valid)
{
/*
* Currently the given proposals are not checked if they are valid for specific host!
*
* The first proposal is taken and the appropriate transform objects are created (only if they are supported)
* The first proposal is taken
*/
encryption_algorithm_t selected_encryption_algorithm = ENCR_UNDEFINED;
pseudo_random_function_t selected_pseudo_random_function = PRF_UNDEFINED;
integrity_algorithm_t selected_integrity_algorithm = AUTH_UNDEFINED;
proposal_substructure_t *proposal;
iterator_t *transforms;
status_t status;
this->logger->log(this->logger,CONTROL|MORE, "Going to get transforms for given proposal");
if (!proposals->has_next(proposals))
{
this->logger->log(this->logger,ERROR | MORE, "No proposal available");
return FAILED;
}
status = proposals->current(proposals,(void **) &(proposal));
if (status != SUCCESS)
{
this->logger->log(this->logger,ERROR, "Fatal error: could not get first proposal from iterator");
return status;
}
status = proposal->create_transform_substructure_iterator(proposal,&transforms,TRUE);
if (status != SUCCESS)
{
this->logger->log(this->logger,ERROR, "Fatal error: could not create iterator of transforms");
return status;
}
while (transforms->has_next(transforms))
{
transform_substructure_t *current_transform;
transform_type_t transform_type;
u_int16_t transform_id;
status = transforms->current(transforms,(void **) &(current_transform));
if (status != SUCCESS)
{
this->logger->log(this->logger,ERROR, "Fatal error: could not get current transform substructure object");
transforms->destroy(transforms);
return status;
}
transform_type = current_transform->get_transform_type(current_transform);
transform_id = current_transform->get_transform_id(current_transform);
this->logger->log(this->logger,CONTROL | MOST, "Going to process transform of type %s",mapping_find(transform_type_m,transform_type));
switch (transform_type)
{
case ENCRYPTION_ALGORITHM:
{
this->logger->log(this->logger,CONTROL | MORE, "Encryption algorithm: %s",mapping_find(encryption_algorithm_m,transform_id));
selected_encryption_algorithm = transform_id;
break;
}
case PSEUDO_RANDOM_FUNCTION:
{
this->logger->log(this->logger,CONTROL | MORE, "Create transform object for PRF of type %s",mapping_find(pseudo_random_function_m,transform_id));
selected_pseudo_random_function = transform_id;
break;
}
case INTEGRITIY_ALGORITHM:
{
this->logger->log(this->logger,CONTROL | MORE, "Integrity algorithm: %s",mapping_find(integrity_algorithm_m,transform_id));
selected_integrity_algorithm = transform_id;
break;
}
case DIFFIE_HELLMAN_GROUP:
{
this->logger->log(this->logger,CONTROL | MORE, "DH Group: %s",mapping_find(diffie_hellman_group_m,transform_id));
break;
}
default:
{
this->logger->log(this->logger,ERROR | MORE, "Transform type not supported!");
transforms->destroy(transforms);
return FAILED;
}
}
}
transforms->destroy(transforms);
*encryption_algorithm = selected_encryption_algorithm;
*pseudo_random_function = selected_pseudo_random_function;
*integrity_algorithm = selected_integrity_algorithm;
this->logger->log(this->logger,CONTROL|MORE, "Going to check selected proposals");
return SUCCESS;
}
@ -472,7 +387,7 @@ configuration_manager_t *configuration_manager_create()
this->public.get_dh_group_number = (status_t(*)(configuration_manager_t*,char*,u_int16_t *, u_int16_t))get_dh_group_number;
this->public.get_proposals_for_host = (status_t(*)(configuration_manager_t*,host_t*,iterator_t*))get_proposals_for_host;
this->public.select_proposals_for_host = (status_t(*)(configuration_manager_t*,host_t*,iterator_t*,iterator_t*))select_proposals_for_host;
this->public.get_transforms_for_host_and_proposals = (status_t (*) (configuration_manager_t *, host_t *, iterator_t *,encryption_algorithm_t *,pseudo_random_function_t *, integrity_algorithm_t *)) get_transforms_for_host_and_proposals;
this->public.check_selected_proposals_for_host = (status_t (*) (configuration_manager_t *, host_t *, iterator_t *,bool *)) check_selected_proposals_for_host;
this->public.is_dh_group_allowed_for_host = (status_t(*)(configuration_manager_t*,host_t*,diffie_hellman_group_t,bool*)) is_dh_group_allowed_for_host;
/* private variables */

27
Source/charon/config/configuration_manager.h
View File

@ -137,23 +137,24 @@ struct configuration_manager_t {
status_t (*select_proposals_for_host) (configuration_manager_t *this, host_t *host, iterator_t *in, iterator_t *out);
/**
* Returns the transforms of type crypter_t, signer_t and prf_t as specified in given proposal.
* Checks if the selected proposals of a remote hosts are valid.
*
*
* @param this calling object
* @param host host information
* @param proposals iterator with selected proposals
* @param[out] encryption_algorithm
* @param[out] pseudo_random_function
* @param[out] integrity_algorithm
* @param this calling object
* @param host host information
* @param proposals iterator with selected proposals
* @param[out] valid TRUE if selected proposals are accepted
*
* @return
* - OUT_OF_RES
* - FAILED
* - NOT_FOUND (not yet implemented)
* - SUCCESS
* @return
* - OUT_OF_RES
* - FAILED
* - NOT_FOUND (not yet implemented)
* - SUCCESS
*/
status_t (*get_transforms_for_host_and_proposals) (configuration_manager_t *this, host_t *host, iterator_t *proposals,encryption_algorithm_t *encryption_algorithm,pseudo_random_function_t *pseudo_random_function, integrity_algorithm_t *integrity_algorithm);
status_t (*check_selected_proposals_for_host) (configuration_manager_t *this,
host_t *host,
iterator_t *proposals,
bool *valid);
/**
* Checks if a given dh_group number is allowed for a specific host

37
Source/charon/encoding/payloads/proposal_substructure.c
View File

@ -327,6 +327,41 @@ static chunk_t get_spi (private_proposal_substructure_t *this)
return spi;
}
static status_t get_info_for_transform_type (private_proposal_substructure_t *this,transform_type_t type, u_int16_t *transform_id, u_int16_t *key_length)
{
iterator_t *iterator;
status_t status;
u_int16_t found_transform_id;
u_int16_t found_key_length;
status = this->transforms->create_iterator(this->transforms,&iterator,TRUE);
if (status != SUCCESS)
{
return status;
}
while (iterator->has_next(iterator))
{
transform_substructure_t *current_transform;
status = iterator->current(iterator,(void **) &current_transform);
if (status != SUCCESS)
{
break;
}
if (current_transform->get_transform_type(current_transform) == type)
{
/* now get data for specific type */
found_transform_id = current_transform->get_transform_id(current_transform);
status = current_transform->get_key_length(current_transform,&found_key_length);
*transform_id = found_transform_id;
*key_length = found_key_length;
iterator->destroy(iterator);
return status;
}
}
iterator->destroy(iterator);
return FAILED;
}
/**
* Implements private_proposal_substructure_t's compute_length function.
* See #private_proposal_substructure_s.compute_length for description.
@ -483,11 +518,13 @@ proposal_substructure_t *proposal_substructure_create()
this->public.get_proposal_number = (u_int8_t (*) (proposal_substructure_t *)) get_proposal_number;
this->public.set_protocol_id = (status_t (*) (proposal_substructure_t *,u_int8_t))set_protocol_id;
this->public.get_protocol_id = (u_int8_t (*) (proposal_substructure_t *)) get_protocol_id;
this->public.get_info_for_transform_type = (status_t (*) (proposal_substructure_t *,transform_type_t,u_int16_t *, u_int16_t *))get_info_for_transform_type;
this->public.set_spi = (status_t (*) (proposal_substructure_t *,chunk_t))set_spi;
this->public.get_spi = (chunk_t (*) (proposal_substructure_t *)) get_spi;
this->public.clone = (status_t (*) (proposal_substructure_t *, proposal_substructure_t **)) clone;
this->public.destroy = (status_t (*) (proposal_substructure_t *)) destroy;
/* private functions */
this->compute_length = compute_length;

15
Source/charon/encoding/payloads/proposal_substructure.h
View File

@ -125,6 +125,21 @@ struct proposal_substructure_t {
* @return protocol id of current proposal substructure.
*/
u_int8_t (*get_protocol_id) (proposal_substructure_t *this);
/**
* @brief Get informations for a specific transform type.
*
* @param this calling proposal_substructure_t object
* @param type type to get informations for
* @param transform_id transform id of the specific type
* @param key_length key length of the specific key length transform attribute
* @return
* - SUCCESS if transform type is part of this proposal and
* all data (incl. key length) could be fetched
* - FAILED if transform type is not part of this proposal
* - OUT_OF_RES
*/
status_t (*get_info_for_transform_type) (proposal_substructure_t *this,transform_type_t type, u_int16_t *transform_id, u_int16_t *key_length);
/**

42
Source/charon/encoding/payloads/transform_substructure.c
View File

@ -91,7 +91,7 @@ mapping_t transform_type_m[] = {
{UNDEFINED_TRANSFORM_TYPE, "UNDEFINED_TRANSFORM_TYPE"},
{ENCRYPTION_ALGORITHM, "ENCRYPTION_ALGORITHM"},
{PSEUDO_RANDOM_FUNCTION, "PSEUDO_RANDOM_FUNCTION"},
{INTEGRITIY_ALGORITHM, "INTEGRITIY_ALGORITHM"},
{INTEGRITY_ALGORITHM, "INTEGRITY_ALGORITHM"},
{DIFFIE_HELLMAN_GROUP, "DIFFIE_HELLMAN_GROUP"},
{EXTENDED_SEQUENCE_NUNBERS, "EXTENDED_SEQUENCE_NUNBERS"},
{MAPPING_END, NULL}
@ -177,7 +177,7 @@ static status_t verify(private_transform_substructure_t *this)
}
break;
}
case INTEGRITIY_ALGORITHM:
case INTEGRITY_ALGORITHM:
{
if ((this->transform_id < AUTH_HMAC_MD5_96) || (this->transform_id > AUTH_AES_XCBC_96))
{
@ -442,6 +442,43 @@ static status_t clone(private_transform_substructure_t *this,transform_substruct
}
/**
* Implementation of transform_substructure_t.get_key_length.
*/
static status_t get_key_length(private_transform_substructure_t *this, u_int16_t *key_length)
{
iterator_t *attributes;
status_t status;
status = this->attributes->create_iterator(this->attributes,&attributes,TRUE);
if (status != SUCCESS)
{
return status;
}
while (attributes->has_next(attributes))
{
transform_attribute_t *current_attribute;
status = attributes->current(attributes,(void **) &current_attribute);
if (status != SUCCESS)
{
attributes->destroy(attributes);
return status;
}
if (current_attribute->get_attribute_type(current_attribute) == KEY_LENGTH)
{
*key_length = current_attribute->get_value(current_attribute);
attributes->destroy(attributes);
return SUCCESS;
}
}
attributes->destroy(attributes);
return FAILED;
}
/**
* Implements payload_t's and transform_substructure_t's destroy function.
* See #payload_s.destroy or transform_substructure_s.destroy for description.
@ -494,6 +531,7 @@ transform_substructure_t *transform_substructure_create()
this->public.get_transform_type = (u_int8_t (*) (transform_substructure_t *)) get_transform_type;
this->public.set_transform_id = (status_t (*) (transform_substructure_t *,u_int16_t)) set_transform_id;
this->public.get_transform_id = (u_int16_t (*) (transform_substructure_t *)) get_transform_id;
this->public.get_key_length = (status_t (*) (transform_substructure_t *,u_int16_t *)) get_key_length;
this->public.clone = (status_t (*) (transform_substructure_t *,transform_substructure_t **)) clone;
this->public.destroy = (status_t (*) (transform_substructure_t *)) destroy;

15
Source/charon/encoding/payloads/transform_substructure.h
View File

@ -56,7 +56,7 @@ enum transform_type_t {
UNDEFINED_TRANSFORM_TYPE = 241,
ENCRYPTION_ALGORITHM = 1,
PSEUDO_RANDOM_FUNCTION = 2,
INTEGRITIY_ALGORITHM = 3,
INTEGRITY_ALGORITHM = 3,
DIFFIE_HELLMAN_GROUP = 4,
EXTENDED_SEQUENCE_NUNBERS = 5
};
@ -180,6 +180,19 @@ struct transform_substructure_t {
* @return Transform id of current transform substructure.
*/
u_int16_t (*get_transform_id) (transform_substructure_t *this);
/**
* @brief get transform id of the current transform.
*
* @param this calling transform_substructure_t object
* @param key_length The key length is written to this location
* @return
* - SUCCESS if a key length attribute is contained
* - FAILED if no key length attribute is part of this
* transform or key length uses more then 16 bit!
* - OUT_OF_RES
*/
status_t (*get_key_length) (transform_substructure_t *this,u_int16_t *key_length);
/**
* @brief Clones an transform_substructure_t object.

201
Source/charon/sa/ike_sa.c
View File

@ -32,6 +32,7 @@
#include <utils/randomizer.h>
#include <transforms/diffie_hellman.h>
#include <transforms/prf_plus.h>
#include <transforms/crypters/crypter.h>
#include <encoding/payloads/sa_payload.h>
#include <encoding/payloads/nonce_payload.h>
#include <encoding/payloads/ke_payload.h>
@ -348,6 +349,9 @@ static ike_sa_id_t* get_id(private_ike_sa_t *this)
return this->ike_sa_id;
}
/**
* @brief implements function protected_ike_sa_t.compute_secrets
*/
static status_t compute_secrets (private_ike_sa_t *this,chunk_t dh_shared_secret,chunk_t initiator_nonce, chunk_t responder_nonce)
{
chunk_t concatenated_nonces;
@ -357,8 +361,8 @@ static status_t compute_secrets (private_ike_sa_t *this,chunk_t dh_shared_secret
u_int64_t initiator_spi;
u_int64_t responder_spi;
prf_plus_t *prf_plus;
chunk_t secrets_raw;
/*
* TODO check length for specific prf's
*/
@ -398,6 +402,7 @@ static status_t compute_secrets (private_ike_sa_t *this,chunk_t dh_shared_secret
return FAILED;
}
/* first is initiator */
memcpy(prf_plus_seed.ptr,initiator_nonce.ptr,initiator_nonce.len);
/* second is responder */
@ -409,8 +414,8 @@ static status_t compute_secrets (private_ike_sa_t *this,chunk_t dh_shared_secret
responder_spi = this->ike_sa_id->get_responder_spi(this->ike_sa_id);
memcpy(prf_plus_seed.ptr + initiator_nonce.len + responder_nonce.len + 8,&responder_spi,8);
this->logger->log_chunk(this->logger, PRIVATE, "Keyseed", &skeyseed);
this->logger->log_chunk(this->logger, PRIVATE, "PRF+ Seed", &prf_plus_seed);
this->logger->log_chunk(this->logger, PRIVATE | MORE, "Keyseed", &skeyseed);
this->logger->log_chunk(this->logger, PRIVATE | MORE, "PRF+ Seed", &prf_plus_seed);
this->logger->log(this->logger, CONTROL | MOST, "Set new key of prf object");
status = this->prf->set_key(this->prf,skeyseed);
@ -431,11 +436,85 @@ static status_t compute_secrets (private_ike_sa_t *this,chunk_t dh_shared_secret
return FAILED;
}
prf_plus->allocate_bytes(prf_plus,100,&secrets_raw);
status = prf_plus->allocate_bytes(prf_plus,this->prf->get_block_size(this->prf),&(this->secrets.d_key));
if (status != SUCCESS)
{
this->logger->log(this->logger, ERROR | MORE, "Could not allocate bytes from prf+ for Sk_d");
return status;
}
this->logger->log_chunk(this->logger, PRIVATE, "Sk_d secret", &(this->secrets.d_key));
status = prf_plus->allocate_bytes(prf_plus,this->crypter_initiator->get_block_size(this->crypter_initiator),&(this->secrets.ei_key));
if (status != SUCCESS)
{
this->logger->log(this->logger, ERROR | MORE, "Could not allocate bytes from prf+ for Sk_ei");
return status;
}
this->logger->log_chunk(this->logger, PRIVATE, "Sk_ei secret", &(this->secrets.ei_key));
status = this->crypter_initiator->set_key(this->crypter_initiator,this->secrets.ei_key);
if (status != SUCCESS)
{
this->logger->log(this->logger, ERROR | MORE, "Could not set encryption key initiator crypter");
return status;
}
status = prf_plus->allocate_bytes(prf_plus,this->crypter_responder->get_block_size(this->crypter_responder),&(this->secrets.er_key));
if (status != SUCCESS)
{
this->logger->log(this->logger, ERROR | MORE, "Could not allocate bytes from prf+ for Sk_er");
return status;
}
this->logger->log_chunk(this->logger, PRIVATE, "Sk_er secret", &(this->secrets.er_key));
status = this->crypter_responder->set_key(this->crypter_responder,this->secrets.er_key);
if (status != SUCCESS)
{
this->logger->log(this->logger, ERROR | MORE, "Could not set encryption key responder crypter");
return status;
}
status = prf_plus->allocate_bytes(prf_plus,this->signer_initiator->get_block_size(this->signer_initiator),&(this->secrets.ai_key));
if (status != SUCCESS)
{
this->logger->log(this->logger, ERROR | MORE, "Could not allocate bytes from prf+ for Sk_ai");
return status;
}
this->logger->log_chunk(this->logger, PRIVATE, "Sk_ai secret", &(this->secrets.ai_key));
status = this->signer_initiator->set_key(this->signer_initiator,this->secrets.ai_key);
if (status != SUCCESS)
{
this->logger->log(this->logger, ERROR | MORE, "Could not set key for initiator signer");
return status;
}
status = prf_plus->allocate_bytes(prf_plus,this->signer_responder->get_block_size(this->signer_responder),&(this->secrets.ar_key));
if (status != SUCCESS)
{
this->logger->log(this->logger, ERROR | MORE, "Could not allocate bytes from prf+ for Sk_ar");
return status;
}
this->logger->log_chunk(this->logger, PRIVATE, "Sk_ar secret", &(this->secrets.ar_key));
status = this->signer_responder->set_key(this->signer_responder,this->secrets.ar_key);
if (status != SUCCESS)
{
this->logger->log(this->logger, ERROR | MORE, "Could not set key for responder signer");
return status;
}
status = prf_plus->allocate_bytes(prf_plus,this->crypter_responder->get_block_size(this->crypter_responder),&(this->secrets.pi_key));
if (status != SUCCESS)
{
this->logger->log(this->logger, ERROR | MORE, "Could not allocate bytes from prf+ for Sk_pi");
return status;
}
this->logger->log_chunk(this->logger, PRIVATE, "Sk_pi secret", &(this->secrets.pi_key));
this->logger->log_chunk(this->logger, PRIVATE, "Secrets", &secrets_raw);
allocator_free_chunk(&secrets_raw);
status = prf_plus->allocate_bytes(prf_plus,this->crypter_responder->get_block_size(this->crypter_responder),&(this->secrets.pr_key));
if (status != SUCCESS)
{
this->logger->log(this->logger, ERROR | MORE, "Could not allocate bytes from prf+ for Sk_pr");
return status;
}
this->logger->log_chunk(this->logger, PRIVATE, "Sk_pr secret", &(this->secrets.pr_key));
prf_plus->destroy(prf_plus);
@ -496,6 +575,7 @@ status_t create_delete_job (private_ike_sa_t *this)
*/
static void set_new_state (private_ike_sa_t *this, state_t *state)
{
this->logger->log(this->logger, ERROR, "Change current state %s to %s",mapping_find(ike_sa_state_m,this->current_state->get_state(this->current_state)),mapping_find(ike_sa_state_m,state->get_state(state)));
this->current_state = state;
}
@ -530,6 +610,7 @@ static void set_my_host (private_ike_sa_t *this, host_t *my_host)
{
if (this->me.host != NULL)
{
this ->logger->log(this->logger, CONTROL|MOST, "Destroy existing my host object");
this->me.host->destroy(this->me.host);
}
this->me.host = my_host;
@ -542,6 +623,7 @@ static void set_other_host (private_ike_sa_t *this, host_t *other_host)
{
if (this->other.host != NULL)
{
this ->logger->log(this->logger, CONTROL|MOST, "Destroy existing other host object");
this->other.host->destroy(this->other.host);
}
this->other.host = other_host;
@ -550,13 +632,110 @@ static void set_other_host (private_ike_sa_t *this, host_t *other_host)
/**
* Implementation of protected_ike_sa_t.set_prf.
*/
static void set_prf (private_ike_sa_t *this,prf_t *prf)
static status_t create_transforms_from_proposal (private_ike_sa_t *this,proposal_substructure_t *proposal)
{
status_t status;
u_int16_t encryption_algorithm;
u_int16_t encryption_algorithm_key_length;
u_int16_t integrity_algorithm;
u_int16_t integrity_algorithm_key_length;
u_int16_t pseudo_random_function;
u_int16_t pseudo_random_function_key_length;
this ->logger->log(this->logger, CONTROL|MORE, "Going to create transform objects for proposal");
this ->logger->log(this->logger, CONTROL|MOST, "Get encryption transform type");
status = proposal->get_info_for_transform_type(proposal,ENCRYPTION_ALGORITHM,&(encryption_algorithm),&(encryption_algorithm_key_length));
if (status != SUCCESS)
{
this ->logger->log(this->logger, ERROR|MORE, "Could not get encryption transform type");
return status;
}
this ->logger->log(this->logger, CONTROL|MORE, "Encryption algorithm: %s with keylength %d",mapping_find(encryption_algorithm_m,encryption_algorithm),encryption_algorithm_key_length);
this ->logger->log(this->logger, CONTROL|MOST, "Get integrity transform type");
status = proposal->get_info_for_transform_type(proposal,INTEGRITY_ALGORITHM,&(integrity_algorithm),&(integrity_algorithm_key_length));
if (status != SUCCESS)
{
this ->logger->log(this->logger, ERROR|MORE, "Could not get integrity transform type");
return status;
}
this ->logger->log(this->logger, CONTROL|MORE, "integrity algorithm: %s with keylength %d",mapping_find(integrity_algorithm_m,integrity_algorithm),integrity_algorithm_key_length);
this ->logger->log(this->logger, CONTROL|MOST, "Get prf transform type");
status = proposal->get_info_for_transform_type(proposal,PSEUDO_RANDOM_FUNCTION,&(pseudo_random_function),&(pseudo_random_function_key_length));
if (status != SUCCESS)
{
this ->logger->log(this->logger, ERROR|MORE, "Could not prf transform type");
return status;
}
this ->logger->log(this->logger, CONTROL|MORE, "prf: %s with keylength %d",mapping_find(pseudo_random_function_m,pseudo_random_function),pseudo_random_function_key_length);
if (this->prf != NULL)
{
this ->logger->log(this->logger, CONTROL|MOST, "Destroy existing prf_t object");
this->prf->destroy(this->prf);
}
this->prf = prf;
this->prf = prf_create(pseudo_random_function);
if (this->prf == NULL)
{
this ->logger->log(this->logger, ERROR|MORE, "prf does not seem to be supported!");
return FAILED;
}
if (this->crypter_initiator != NULL)
{
this ->logger->log(this->logger, CONTROL|MOST, "Destroy existing initiator crypter_t object");
this->crypter_initiator->destroy(this->crypter_initiator);
}
this->crypter_initiator = crypter_create(encryption_algorithm,encryption_algorithm_key_length);
if (this->crypter_initiator == NULL)
{
this ->logger->log(this->logger, ERROR|MORE, "encryption algorithm does not seem to be supported!");
return FAILED;
}
if (this->crypter_responder != NULL)
{
this ->logger->log(this->logger, CONTROL|MOST, "Destroy existing responder crypter_t object");
this->crypter_responder->destroy(this->crypter_responder);
}
this->crypter_responder = crypter_create(encryption_algorithm,encryption_algorithm_key_length);
if (this->crypter_responder == NULL)
{
this ->logger->log(this->logger, ERROR|MORE, "encryption algorithm does not seem to be supported!");
return FAILED;
}
if (this->signer_initiator != NULL)
{
this ->logger->log(this->logger, CONTROL|MOST, "Destroy existing initiator signer_t object");
this->signer_initiator->destroy(this->signer_initiator);
}
this->signer_initiator = signer_create(integrity_algorithm);
if (this->signer_initiator == NULL)
{
this ->logger->log(this->logger, ERROR|MORE, "integrity algorithm does not seem to be supported!");
return FAILED;
}
if (this->signer_responder != NULL)
{
this ->logger->log(this->logger, CONTROL|MOST, "Destroy existing responder signer_t object");
this->signer_responder->destroy(this->signer_responder);
}
this->signer_responder = signer_create(integrity_algorithm);
if (this->signer_responder == NULL)
{
this ->logger->log(this->logger, ERROR|MORE, "integrity algorithm does not seem to be supported!");
return FAILED;
}
return SUCCESS;
}
/**
@ -775,7 +954,7 @@ ike_sa_t * ike_sa_create(ike_sa_id_t *ike_sa_id)
this->protected.get_randomizer = (randomizer_t *(*) (protected_ike_sa_t *)) get_randomizer;
this->protected.set_last_requested_message = (status_t (*) (protected_ike_sa_t *,message_t *)) set_last_requested_message;
this->protected.set_last_responded_message = (status_t (*) (protected_ike_sa_t *,message_t *)) set_last_responded_message;
this->protected.set_prf = (void (*) (protected_ike_sa_t *,prf_t *)) set_prf;
this->protected.create_transforms_from_proposal = (status_t (*) (protected_ike_sa_t *,proposal_substructure_t *)) create_transforms_from_proposal;
this->protected.set_new_state = (void (*) (protected_ike_sa_t *,state_t *)) set_new_state;
/* private functions */

11
Source/charon/sa/ike_sa.h
View File

@ -26,6 +26,7 @@
#include <types.h>
#include <encoding/message.h>
#include <encoding/payloads/proposal_substructure.h>
#include <sa/ike_sa_id.h>
#include <utils/logger.h>
#include <utils/randomizer.h>
@ -171,14 +172,16 @@ struct protected_ike_sa_t {
void (*set_other_host) (protected_ike_sa_t *this,host_t *other_host);
/**
* Sets the internal stored prf_t object.
* Creates all needed transform objects for given ike_sa_t using
* the informations stored in a proposal_substructure_t object
*
* Allready existing object gets destroyed. object gets not cloned!
* Allready existing objects get destroyed.
*
* @param this calling object
* @param prf pointer to the new prf_t object
* @param proposal proposal used to get informations for transform
* objects (algorithms, key lengths, etc.)
*/
void (*set_prf) (protected_ike_sa_t *this,prf_t *prf);
status_t (*create_transforms_from_proposal) (protected_ike_sa_t *this,proposal_substructure_t *proposal);
/**
* Sets the last requested message.

53
Source/charon/sa/states/ike_sa_init_requested.c
View File

@ -136,12 +136,10 @@ static status_t process_message(private_ike_sa_init_requested_t *this, message_t
{
case SECURITY_ASSOCIATION:
{
sa_payload_t *sa_payload = (sa_payload_t*)payload;
iterator_t *suggested_proposals;
encryption_algorithm_t encryption_algorithm = ENCR_UNDEFINED;
pseudo_random_function_t pseudo_random_function = PRF_UNDEFINED;
integrity_algorithm_t integrity_algorithm = AUTH_UNDEFINED;
prf_t *prf;
sa_payload_t *sa_payload = (sa_payload_t*)payload;
iterator_t *suggested_proposals;
proposal_substructure_t *suggested_proposal;
bool valid;
/* get the list of suggested proposals */
@ -153,27 +151,46 @@ static status_t process_message(private_ike_sa_init_requested_t *this, message_t
return status;
}
/* now let the configuration-manager return the transforms for the given proposal*/
this->logger->log(this->logger, CONTROL | MOST, "Get transforms for suggested proposal");
status = global_configuration_manager->get_transforms_for_host_and_proposals(global_configuration_manager,
this->ike_sa->get_other_host(this->ike_sa), suggested_proposals, &encryption_algorithm,&pseudo_random_function,&integrity_algorithm);
/* now let the configuration-manager check the selected proposals*/
this->logger->log(this->logger, CONTROL | MOST, "Check suggested proposals");
status = global_configuration_manager->check_selected_proposals_for_host(global_configuration_manager,
this->ike_sa->get_other_host(this->ike_sa), suggested_proposals,&valid);
if (status != SUCCESS)
{
this->logger->log(this->logger, ERROR | MORE, "Suggested proposals not supported!");
this->logger->log(this->logger, ERROR | MORE, "Could not check suggested proposals!");
suggested_proposals->destroy(suggested_proposals);
payloads->destroy(payloads);
return status;
}
suggested_proposals->destroy(suggested_proposals);
prf = prf_create(pseudo_random_function);
if (prf == NULL)
if (!valid)
{
this->logger->log(this->logger, ERROR | MORE, "PRF type not supported");
this->logger->log(this->logger, ERROR | MORE, "Suggested proposals not accepted!");
payloads->destroy(payloads);
return FAILED;
return status;
}
/* let the ike_sa create their own transforms from proposal informations */
suggested_proposals->reset(suggested_proposals);
/* TODO check for true*/
suggested_proposals->has_next(suggested_proposals);
status = suggested_proposals->current(suggested_proposals,(void **)&suggested_proposal);
suggested_proposals->destroy(suggested_proposals);
if (status != SUCCESS)
{
this->logger->log(this->logger, ERROR | MORE, "Could not get first proposal");
payloads->destroy(payloads);
return status;
}
status = this->ike_sa->create_transforms_from_proposal(this->ike_sa,suggested_proposal);
if (status != SUCCESS)
{
this->logger->log(this->logger, ERROR | MORE, "Transform objects could not be created from selected proposal");
payloads->destroy(payloads);
return status;
}
this->ike_sa->set_prf(this->ike_sa,prf);
/* ok, we have what we need for sa_payload */

29
Source/charon/sa/states/responder_init.c
View File

@ -223,10 +223,7 @@ static status_t process_message(private_responder_init_t *this, message_t *messa
{
sa_payload_t *sa_payload = (sa_payload_t*)payload;
iterator_t *suggested_proposals, *accepted_proposals;
encryption_algorithm_t encryption_algorithm = ENCR_UNDEFINED;
pseudo_random_function_t pseudo_random_function = PRF_UNDEFINED;
integrity_algorithm_t integrity_algorithm = AUTH_UNDEFINED;
prf_t *prf;
proposal_substructure_t *accepted_proposal;
status = this->proposals->create_iterator(this->proposals, &accepted_proposals, FALSE);
if (status != SUCCESS)
@ -260,12 +257,13 @@ static status_t process_message(private_responder_init_t *this, message_t *messa
/* iterators are not needed anymore */
suggested_proposals->destroy(suggested_proposals);
/* now let the configuration-manager return the transforms for the given proposal*/
this->logger->log(this->logger, CONTROL | MOST, "Get transforms for accepted proposal");
status = global_configuration_manager->get_transforms_for_host_and_proposals(global_configuration_manager,
this->ike_sa->get_other_host(this->ike_sa), accepted_proposals, &encryption_algorithm,&pseudo_random_function,&integrity_algorithm);
/* let the ike_sa create their own transforms from proposal informations */
accepted_proposals->reset(accepted_proposals);
/* TODO check for true*/
accepted_proposals->has_next(accepted_proposals);
status = accepted_proposals->current(accepted_proposals,(void **)&accepted_proposal);
if (status != SUCCESS)
{
this->logger->log(this->logger, ERROR | MORE, "Accepted proposals not supported?!");
@ -273,16 +271,15 @@ static status_t process_message(private_responder_init_t *this, message_t *messa
payloads->destroy(payloads);
return status;
}
accepted_proposals->destroy(accepted_proposals);
prf = prf_create(pseudo_random_function);
if (prf == NULL)
status = this->ike_sa->create_transforms_from_proposal(this->ike_sa,accepted_proposal);
accepted_proposals->destroy(accepted_proposals);
if (status != SUCCESS)
{
this->logger->log(this->logger, ERROR | MORE, "PRF type not supported");
this->logger->log(this->logger, ERROR | MORE, "Transform objects could not be created from selected proposal");
payloads->destroy(payloads);
return FAILED;
return status;
}
this->ike_sa->set_prf(this->ike_sa,prf);
this->logger->log(this->logger, CONTROL | MORE, "SA Payload processed");
/* ok, we have what we need for sa_payload (proposals are stored in this->proposals)*/
@ -397,8 +394,6 @@ static status_t process_message(private_responder_init_t *this, message_t *messa
this->logger->log(this->logger, ERROR | MORE, "Secrets could not be computed!");
return status;
}
/* set up the reply */
status = this->ike_sa->build_message(this->ike_sa, IKE_SA_INIT, FALSE, &response);

17
Source/charon/transforms/crypters/crypter.c
View File

@ -45,3 +45,20 @@ mapping_t encryption_algorithm_m[] = {
{ENCR_AES_CTR, "ENCR_AES_CTR"},
{MAPPING_END, NULL}
};
/*
* Described in header.
*/
crypter_t *crypter_create(encryption_algorithm_t encryption_algorithm,size_t blocksize)
{
switch (encryption_algorithm)
{
case ENCR_AES_CBC:
{
return (crypter_t*)aes_cbc_crypter_create(blocksize);
}
default:
return NULL;
}
}

3
Source/charon/transforms/crypters/crypter.h
View File

@ -118,10 +118,11 @@ struct crypter_t {
* @brief Generic constructor for crypter_t objects.
*
* @param encryption_algorithm Algorithm to use for crypter
* @param blocksize block size in bytes
* @return
* - crypter_t if successfully
* - NULL if out of ressources or crypter not supported
*/
crypter_t *crypter_create(encryption_algorithm_t encryption_algorithm);
crypter_t *crypter_create(encryption_algorithm_t encryption_algorithm, size_t blocksize);
#endif /*CRYPTER_H_*/

1
Source/charon/utils/logger_manager.c
View File

@ -148,6 +148,7 @@ static logger_t *create_logger(private_logger_manager_t *this, logger_context_t
logger_level |= FULL;
break;
case IKE_SA:
logger_level |= FULL;
case IKE_SA_MANAGER:
case MESSAGE:
logger_level |= ALL;