- added compution of all needed keys and also creation of needed
transform objects
This commit is contained in:
parent
61068e9152
commit
b9d9f18874
|
@ -237,7 +237,7 @@ static status_t get_proposals_for_host(private_configuration_manager_t *this, ho
|
|||
proposal->destroy(proposal);
|
||||
return OUT_OF_RES;
|
||||
}
|
||||
transform->set_transform_type(transform, INTEGRITIY_ALGORITHM);
|
||||
transform->set_transform_type(transform, INTEGRITY_ALGORITHM);
|
||||
transform->set_transform_id(transform, AUTH_HMAC_MD5_96);
|
||||
|
||||
attribute = transform_attribute_create();
|
||||
|
@ -320,102 +320,17 @@ static status_t select_proposals_for_host(private_configuration_manager_t *this,
|
|||
}
|
||||
|
||||
/**
|
||||
* Implements function configuration_manager_t.get_transforms_for_host_and_proposals.
|
||||
* Implements function configuration_manager_t.check_selected_proposals_for_host.
|
||||
*/
|
||||
static status_t get_transforms_for_host_and_proposals (private_configuration_manager_t *this, host_t *host, iterator_t *proposals,encryption_algorithm_t *encryption_algorithm,pseudo_random_function_t *pseudo_random_function, integrity_algorithm_t *integrity_algorithm)
|
||||
static status_t check_selected_proposals_for_host (private_configuration_manager_t *this, host_t *host, iterator_t *proposals,bool *valid)
|
||||
{
|
||||
/*
|
||||
* Currently the given proposals are not checked if they are valid for specific host!
|
||||
*
|
||||
* The first proposal is taken and the appropriate transform objects are created (only if they are supported)
|
||||
* The first proposal is taken
|
||||
*/
|
||||
|
||||
encryption_algorithm_t selected_encryption_algorithm = ENCR_UNDEFINED;
|
||||
pseudo_random_function_t selected_pseudo_random_function = PRF_UNDEFINED;
|
||||
integrity_algorithm_t selected_integrity_algorithm = AUTH_UNDEFINED;
|
||||
proposal_substructure_t *proposal;
|
||||
iterator_t *transforms;
|
||||
status_t status;
|
||||
|
||||
this->logger->log(this->logger,CONTROL|MORE, "Going to get transforms for given proposal");
|
||||
|
||||
if (!proposals->has_next(proposals))
|
||||
{
|
||||
this->logger->log(this->logger,ERROR | MORE, "No proposal available");
|
||||
return FAILED;
|
||||
}
|
||||
|
||||
status = proposals->current(proposals,(void **) &(proposal));
|
||||
if (status != SUCCESS)
|
||||
{
|
||||
this->logger->log(this->logger,ERROR, "Fatal error: could not get first proposal from iterator");
|
||||
return status;
|
||||
}
|
||||
|
||||
status = proposal->create_transform_substructure_iterator(proposal,&transforms,TRUE);
|
||||
if (status != SUCCESS)
|
||||
{
|
||||
this->logger->log(this->logger,ERROR, "Fatal error: could not create iterator of transforms");
|
||||
return status;
|
||||
}
|
||||
|
||||
while (transforms->has_next(transforms))
|
||||
{
|
||||
transform_substructure_t *current_transform;
|
||||
transform_type_t transform_type;
|
||||
u_int16_t transform_id;
|
||||
|
||||
status = transforms->current(transforms,(void **) &(current_transform));
|
||||
if (status != SUCCESS)
|
||||
{
|
||||
this->logger->log(this->logger,ERROR, "Fatal error: could not get current transform substructure object");
|
||||
transforms->destroy(transforms);
|
||||
return status;
|
||||
}
|
||||
|
||||
transform_type = current_transform->get_transform_type(current_transform);
|
||||
transform_id = current_transform->get_transform_id(current_transform);
|
||||
|
||||
this->logger->log(this->logger,CONTROL | MOST, "Going to process transform of type %s",mapping_find(transform_type_m,transform_type));
|
||||
switch (transform_type)
|
||||
{
|
||||
case ENCRYPTION_ALGORITHM:
|
||||
{
|
||||
this->logger->log(this->logger,CONTROL | MORE, "Encryption algorithm: %s",mapping_find(encryption_algorithm_m,transform_id));
|
||||
selected_encryption_algorithm = transform_id;
|
||||
break;
|
||||
}
|
||||
case PSEUDO_RANDOM_FUNCTION:
|
||||
{
|
||||
this->logger->log(this->logger,CONTROL | MORE, "Create transform object for PRF of type %s",mapping_find(pseudo_random_function_m,transform_id));
|
||||
selected_pseudo_random_function = transform_id;
|
||||
break;
|
||||
}
|
||||
case INTEGRITIY_ALGORITHM:
|
||||
{
|
||||
this->logger->log(this->logger,CONTROL | MORE, "Integrity algorithm: %s",mapping_find(integrity_algorithm_m,transform_id));
|
||||
selected_integrity_algorithm = transform_id;
|
||||
break;
|
||||
}
|
||||
case DIFFIE_HELLMAN_GROUP:
|
||||
{
|
||||
this->logger->log(this->logger,CONTROL | MORE, "DH Group: %s",mapping_find(diffie_hellman_group_m,transform_id));
|
||||
break;
|
||||
}
|
||||
default:
|
||||
{
|
||||
this->logger->log(this->logger,ERROR | MORE, "Transform type not supported!");
|
||||
transforms->destroy(transforms);
|
||||
return FAILED;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
transforms->destroy(transforms);
|
||||
|
||||
*encryption_algorithm = selected_encryption_algorithm;
|
||||
*pseudo_random_function = selected_pseudo_random_function;
|
||||
*integrity_algorithm = selected_integrity_algorithm;
|
||||
this->logger->log(this->logger,CONTROL|MORE, "Going to check selected proposals");
|
||||
return SUCCESS;
|
||||
}
|
||||
|
||||
|
@ -472,7 +387,7 @@ configuration_manager_t *configuration_manager_create()
|
|||
this->public.get_dh_group_number = (status_t(*)(configuration_manager_t*,char*,u_int16_t *, u_int16_t))get_dh_group_number;
|
||||
this->public.get_proposals_for_host = (status_t(*)(configuration_manager_t*,host_t*,iterator_t*))get_proposals_for_host;
|
||||
this->public.select_proposals_for_host = (status_t(*)(configuration_manager_t*,host_t*,iterator_t*,iterator_t*))select_proposals_for_host;
|
||||
this->public.get_transforms_for_host_and_proposals = (status_t (*) (configuration_manager_t *, host_t *, iterator_t *,encryption_algorithm_t *,pseudo_random_function_t *, integrity_algorithm_t *)) get_transforms_for_host_and_proposals;
|
||||
this->public.check_selected_proposals_for_host = (status_t (*) (configuration_manager_t *, host_t *, iterator_t *,bool *)) check_selected_proposals_for_host;
|
||||
this->public.is_dh_group_allowed_for_host = (status_t(*)(configuration_manager_t*,host_t*,diffie_hellman_group_t,bool*)) is_dh_group_allowed_for_host;
|
||||
|
||||
/* private variables */
|
||||
|
|
|
@ -137,23 +137,24 @@ struct configuration_manager_t {
|
|||
status_t (*select_proposals_for_host) (configuration_manager_t *this, host_t *host, iterator_t *in, iterator_t *out);
|
||||
|
||||
/**
|
||||
* Returns the transforms of type crypter_t, signer_t and prf_t as specified in given proposal.
|
||||
* Checks if the selected proposals of a remote hosts are valid.
|
||||
*
|
||||
*
|
||||
* @param this calling object
|
||||
* @param host host information
|
||||
* @param proposals iterator with selected proposals
|
||||
* @param[out] encryption_algorithm
|
||||
* @param[out] pseudo_random_function
|
||||
* @param[out] integrity_algorithm
|
||||
* @param this calling object
|
||||
* @param host host information
|
||||
* @param proposals iterator with selected proposals
|
||||
* @param[out] valid TRUE if selected proposals are accepted
|
||||
*
|
||||
* @return
|
||||
* - OUT_OF_RES
|
||||
* - FAILED
|
||||
* - NOT_FOUND (not yet implemented)
|
||||
* - SUCCESS
|
||||
* @return
|
||||
* - OUT_OF_RES
|
||||
* - FAILED
|
||||
* - NOT_FOUND (not yet implemented)
|
||||
* - SUCCESS
|
||||
*/
|
||||
status_t (*get_transforms_for_host_and_proposals) (configuration_manager_t *this, host_t *host, iterator_t *proposals,encryption_algorithm_t *encryption_algorithm,pseudo_random_function_t *pseudo_random_function, integrity_algorithm_t *integrity_algorithm);
|
||||
status_t (*check_selected_proposals_for_host) (configuration_manager_t *this,
|
||||
host_t *host,
|
||||
iterator_t *proposals,
|
||||
bool *valid);
|
||||
|
||||
/**
|
||||
* Checks if a given dh_group number is allowed for a specific host
|
||||
|
|
|
@ -327,6 +327,41 @@ static chunk_t get_spi (private_proposal_substructure_t *this)
|
|||
return spi;
|
||||
}
|
||||
|
||||
static status_t get_info_for_transform_type (private_proposal_substructure_t *this,transform_type_t type, u_int16_t *transform_id, u_int16_t *key_length)
|
||||
{
|
||||
iterator_t *iterator;
|
||||
status_t status;
|
||||
u_int16_t found_transform_id;
|
||||
u_int16_t found_key_length;
|
||||
|
||||
status = this->transforms->create_iterator(this->transforms,&iterator,TRUE);
|
||||
if (status != SUCCESS)
|
||||
{
|
||||
return status;
|
||||
}
|
||||
while (iterator->has_next(iterator))
|
||||
{
|
||||
transform_substructure_t *current_transform;
|
||||
status = iterator->current(iterator,(void **) ¤t_transform);
|
||||
if (status != SUCCESS)
|
||||
{
|
||||
break;
|
||||
}
|
||||
if (current_transform->get_transform_type(current_transform) == type)
|
||||
{
|
||||
/* now get data for specific type */
|
||||
found_transform_id = current_transform->get_transform_id(current_transform);
|
||||
status = current_transform->get_key_length(current_transform,&found_key_length);
|
||||
*transform_id = found_transform_id;
|
||||
*key_length = found_key_length;
|
||||
iterator->destroy(iterator);
|
||||
return status;
|
||||
}
|
||||
}
|
||||
iterator->destroy(iterator);
|
||||
return FAILED;
|
||||
}
|
||||
|
||||
/**
|
||||
* Implements private_proposal_substructure_t's compute_length function.
|
||||
* See #private_proposal_substructure_s.compute_length for description.
|
||||
|
@ -483,11 +518,13 @@ proposal_substructure_t *proposal_substructure_create()
|
|||
this->public.get_proposal_number = (u_int8_t (*) (proposal_substructure_t *)) get_proposal_number;
|
||||
this->public.set_protocol_id = (status_t (*) (proposal_substructure_t *,u_int8_t))set_protocol_id;
|
||||
this->public.get_protocol_id = (u_int8_t (*) (proposal_substructure_t *)) get_protocol_id;
|
||||
this->public.get_info_for_transform_type = (status_t (*) (proposal_substructure_t *,transform_type_t,u_int16_t *, u_int16_t *))get_info_for_transform_type;
|
||||
this->public.set_spi = (status_t (*) (proposal_substructure_t *,chunk_t))set_spi;
|
||||
this->public.get_spi = (chunk_t (*) (proposal_substructure_t *)) get_spi;
|
||||
this->public.clone = (status_t (*) (proposal_substructure_t *, proposal_substructure_t **)) clone;
|
||||
this->public.destroy = (status_t (*) (proposal_substructure_t *)) destroy;
|
||||
|
||||
|
||||
/* private functions */
|
||||
this->compute_length = compute_length;
|
||||
|
||||
|
|
|
@ -125,6 +125,21 @@ struct proposal_substructure_t {
|
|||
* @return protocol id of current proposal substructure.
|
||||
*/
|
||||
u_int8_t (*get_protocol_id) (proposal_substructure_t *this);
|
||||
|
||||
/**
|
||||
* @brief Get informations for a specific transform type.
|
||||
*
|
||||
* @param this calling proposal_substructure_t object
|
||||
* @param type type to get informations for
|
||||
* @param transform_id transform id of the specific type
|
||||
* @param key_length key length of the specific key length transform attribute
|
||||
* @return
|
||||
* - SUCCESS if transform type is part of this proposal and
|
||||
* all data (incl. key length) could be fetched
|
||||
* - FAILED if transform type is not part of this proposal
|
||||
* - OUT_OF_RES
|
||||
*/
|
||||
status_t (*get_info_for_transform_type) (proposal_substructure_t *this,transform_type_t type, u_int16_t *transform_id, u_int16_t *key_length);
|
||||
|
||||
|
||||
/**
|
||||
|
|
|
@ -91,7 +91,7 @@ mapping_t transform_type_m[] = {
|
|||
{UNDEFINED_TRANSFORM_TYPE, "UNDEFINED_TRANSFORM_TYPE"},
|
||||
{ENCRYPTION_ALGORITHM, "ENCRYPTION_ALGORITHM"},
|
||||
{PSEUDO_RANDOM_FUNCTION, "PSEUDO_RANDOM_FUNCTION"},
|
||||
{INTEGRITIY_ALGORITHM, "INTEGRITIY_ALGORITHM"},
|
||||
{INTEGRITY_ALGORITHM, "INTEGRITY_ALGORITHM"},
|
||||
{DIFFIE_HELLMAN_GROUP, "DIFFIE_HELLMAN_GROUP"},
|
||||
{EXTENDED_SEQUENCE_NUNBERS, "EXTENDED_SEQUENCE_NUNBERS"},
|
||||
{MAPPING_END, NULL}
|
||||
|
@ -177,7 +177,7 @@ static status_t verify(private_transform_substructure_t *this)
|
|||
}
|
||||
break;
|
||||
}
|
||||
case INTEGRITIY_ALGORITHM:
|
||||
case INTEGRITY_ALGORITHM:
|
||||
{
|
||||
if ((this->transform_id < AUTH_HMAC_MD5_96) || (this->transform_id > AUTH_AES_XCBC_96))
|
||||
{
|
||||
|
@ -442,6 +442,43 @@ static status_t clone(private_transform_substructure_t *this,transform_substruct
|
|||
}
|
||||
|
||||
|
||||
/**
|
||||
* Implementation of transform_substructure_t.get_key_length.
|
||||
*/
|
||||
static status_t get_key_length(private_transform_substructure_t *this, u_int16_t *key_length)
|
||||
{
|
||||
iterator_t *attributes;
|
||||
status_t status;
|
||||
|
||||
status = this->attributes->create_iterator(this->attributes,&attributes,TRUE);
|
||||
if (status != SUCCESS)
|
||||
{
|
||||
return status;
|
||||
}
|
||||
|
||||
while (attributes->has_next(attributes))
|
||||
{
|
||||
transform_attribute_t *current_attribute;
|
||||
status = attributes->current(attributes,(void **) ¤t_attribute);
|
||||
if (status != SUCCESS)
|
||||
{
|
||||
attributes->destroy(attributes);
|
||||
return status;
|
||||
}
|
||||
if (current_attribute->get_attribute_type(current_attribute) == KEY_LENGTH)
|
||||
{
|
||||
*key_length = current_attribute->get_value(current_attribute);
|
||||
attributes->destroy(attributes);
|
||||
return SUCCESS;
|
||||
}
|
||||
|
||||
}
|
||||
attributes->destroy(attributes);
|
||||
|
||||
return FAILED;
|
||||
}
|
||||
|
||||
|
||||
/**
|
||||
* Implements payload_t's and transform_substructure_t's destroy function.
|
||||
* See #payload_s.destroy or transform_substructure_s.destroy for description.
|
||||
|
@ -494,6 +531,7 @@ transform_substructure_t *transform_substructure_create()
|
|||
this->public.get_transform_type = (u_int8_t (*) (transform_substructure_t *)) get_transform_type;
|
||||
this->public.set_transform_id = (status_t (*) (transform_substructure_t *,u_int16_t)) set_transform_id;
|
||||
this->public.get_transform_id = (u_int16_t (*) (transform_substructure_t *)) get_transform_id;
|
||||
this->public.get_key_length = (status_t (*) (transform_substructure_t *,u_int16_t *)) get_key_length;
|
||||
this->public.clone = (status_t (*) (transform_substructure_t *,transform_substructure_t **)) clone;
|
||||
this->public.destroy = (status_t (*) (transform_substructure_t *)) destroy;
|
||||
|
||||
|
|
|
@ -56,7 +56,7 @@ enum transform_type_t {
|
|||
UNDEFINED_TRANSFORM_TYPE = 241,
|
||||
ENCRYPTION_ALGORITHM = 1,
|
||||
PSEUDO_RANDOM_FUNCTION = 2,
|
||||
INTEGRITIY_ALGORITHM = 3,
|
||||
INTEGRITY_ALGORITHM = 3,
|
||||
DIFFIE_HELLMAN_GROUP = 4,
|
||||
EXTENDED_SEQUENCE_NUNBERS = 5
|
||||
};
|
||||
|
@ -180,6 +180,19 @@ struct transform_substructure_t {
|
|||
* @return Transform id of current transform substructure.
|
||||
*/
|
||||
u_int16_t (*get_transform_id) (transform_substructure_t *this);
|
||||
|
||||
/**
|
||||
* @brief get transform id of the current transform.
|
||||
*
|
||||
* @param this calling transform_substructure_t object
|
||||
* @param key_length The key length is written to this location
|
||||
* @return
|
||||
* - SUCCESS if a key length attribute is contained
|
||||
* - FAILED if no key length attribute is part of this
|
||||
* transform or key length uses more then 16 bit!
|
||||
* - OUT_OF_RES
|
||||
*/
|
||||
status_t (*get_key_length) (transform_substructure_t *this,u_int16_t *key_length);
|
||||
|
||||
/**
|
||||
* @brief Clones an transform_substructure_t object.
|
||||
|
|
|
@ -32,6 +32,7 @@
|
|||
#include <utils/randomizer.h>
|
||||
#include <transforms/diffie_hellman.h>
|
||||
#include <transforms/prf_plus.h>
|
||||
#include <transforms/crypters/crypter.h>
|
||||
#include <encoding/payloads/sa_payload.h>
|
||||
#include <encoding/payloads/nonce_payload.h>
|
||||
#include <encoding/payloads/ke_payload.h>
|
||||
|
@ -348,6 +349,9 @@ static ike_sa_id_t* get_id(private_ike_sa_t *this)
|
|||
return this->ike_sa_id;
|
||||
}
|
||||
|
||||
/**
|
||||
* @brief implements function protected_ike_sa_t.compute_secrets
|
||||
*/
|
||||
static status_t compute_secrets (private_ike_sa_t *this,chunk_t dh_shared_secret,chunk_t initiator_nonce, chunk_t responder_nonce)
|
||||
{
|
||||
chunk_t concatenated_nonces;
|
||||
|
@ -357,8 +361,8 @@ static status_t compute_secrets (private_ike_sa_t *this,chunk_t dh_shared_secret
|
|||
u_int64_t initiator_spi;
|
||||
u_int64_t responder_spi;
|
||||
prf_plus_t *prf_plus;
|
||||
chunk_t secrets_raw;
|
||||
|
||||
|
||||
|
||||
/*
|
||||
* TODO check length for specific prf's
|
||||
*/
|
||||
|
@ -398,6 +402,7 @@ static status_t compute_secrets (private_ike_sa_t *this,chunk_t dh_shared_secret
|
|||
return FAILED;
|
||||
}
|
||||
|
||||
|
||||
/* first is initiator */
|
||||
memcpy(prf_plus_seed.ptr,initiator_nonce.ptr,initiator_nonce.len);
|
||||
/* second is responder */
|
||||
|
@ -409,8 +414,8 @@ static status_t compute_secrets (private_ike_sa_t *this,chunk_t dh_shared_secret
|
|||
responder_spi = this->ike_sa_id->get_responder_spi(this->ike_sa_id);
|
||||
memcpy(prf_plus_seed.ptr + initiator_nonce.len + responder_nonce.len + 8,&responder_spi,8);
|
||||
|
||||
this->logger->log_chunk(this->logger, PRIVATE, "Keyseed", &skeyseed);
|
||||
this->logger->log_chunk(this->logger, PRIVATE, "PRF+ Seed", &prf_plus_seed);
|
||||
this->logger->log_chunk(this->logger, PRIVATE | MORE, "Keyseed", &skeyseed);
|
||||
this->logger->log_chunk(this->logger, PRIVATE | MORE, "PRF+ Seed", &prf_plus_seed);
|
||||
|
||||
this->logger->log(this->logger, CONTROL | MOST, "Set new key of prf object");
|
||||
status = this->prf->set_key(this->prf,skeyseed);
|
||||
|
@ -431,11 +436,85 @@ static status_t compute_secrets (private_ike_sa_t *this,chunk_t dh_shared_secret
|
|||
return FAILED;
|
||||
}
|
||||
|
||||
prf_plus->allocate_bytes(prf_plus,100,&secrets_raw);
|
||||
status = prf_plus->allocate_bytes(prf_plus,this->prf->get_block_size(this->prf),&(this->secrets.d_key));
|
||||
if (status != SUCCESS)
|
||||
{
|
||||
this->logger->log(this->logger, ERROR | MORE, "Could not allocate bytes from prf+ for Sk_d");
|
||||
return status;
|
||||
}
|
||||
this->logger->log_chunk(this->logger, PRIVATE, "Sk_d secret", &(this->secrets.d_key));
|
||||
|
||||
status = prf_plus->allocate_bytes(prf_plus,this->crypter_initiator->get_block_size(this->crypter_initiator),&(this->secrets.ei_key));
|
||||
if (status != SUCCESS)
|
||||
{
|
||||
this->logger->log(this->logger, ERROR | MORE, "Could not allocate bytes from prf+ for Sk_ei");
|
||||
return status;
|
||||
}
|
||||
this->logger->log_chunk(this->logger, PRIVATE, "Sk_ei secret", &(this->secrets.ei_key));
|
||||
status = this->crypter_initiator->set_key(this->crypter_initiator,this->secrets.ei_key);
|
||||
if (status != SUCCESS)
|
||||
{
|
||||
this->logger->log(this->logger, ERROR | MORE, "Could not set encryption key initiator crypter");
|
||||
return status;
|
||||
}
|
||||
|
||||
status = prf_plus->allocate_bytes(prf_plus,this->crypter_responder->get_block_size(this->crypter_responder),&(this->secrets.er_key));
|
||||
if (status != SUCCESS)
|
||||
{
|
||||
this->logger->log(this->logger, ERROR | MORE, "Could not allocate bytes from prf+ for Sk_er");
|
||||
return status;
|
||||
}
|
||||
this->logger->log_chunk(this->logger, PRIVATE, "Sk_er secret", &(this->secrets.er_key));
|
||||
status = this->crypter_responder->set_key(this->crypter_responder,this->secrets.er_key);
|
||||
if (status != SUCCESS)
|
||||
{
|
||||
this->logger->log(this->logger, ERROR | MORE, "Could not set encryption key responder crypter");
|
||||
return status;
|
||||
}
|
||||
|
||||
status = prf_plus->allocate_bytes(prf_plus,this->signer_initiator->get_block_size(this->signer_initiator),&(this->secrets.ai_key));
|
||||
if (status != SUCCESS)
|
||||
{
|
||||
this->logger->log(this->logger, ERROR | MORE, "Could not allocate bytes from prf+ for Sk_ai");
|
||||
return status;
|
||||
}
|
||||
this->logger->log_chunk(this->logger, PRIVATE, "Sk_ai secret", &(this->secrets.ai_key));
|
||||
status = this->signer_initiator->set_key(this->signer_initiator,this->secrets.ai_key);
|
||||
if (status != SUCCESS)
|
||||
{
|
||||
this->logger->log(this->logger, ERROR | MORE, "Could not set key for initiator signer");
|
||||
return status;
|
||||
}
|
||||
|
||||
status = prf_plus->allocate_bytes(prf_plus,this->signer_responder->get_block_size(this->signer_responder),&(this->secrets.ar_key));
|
||||
if (status != SUCCESS)
|
||||
{
|
||||
this->logger->log(this->logger, ERROR | MORE, "Could not allocate bytes from prf+ for Sk_ar");
|
||||
return status;
|
||||
}
|
||||
this->logger->log_chunk(this->logger, PRIVATE, "Sk_ar secret", &(this->secrets.ar_key));
|
||||
status = this->signer_responder->set_key(this->signer_responder,this->secrets.ar_key);
|
||||
if (status != SUCCESS)
|
||||
{
|
||||
this->logger->log(this->logger, ERROR | MORE, "Could not set key for responder signer");
|
||||
return status;
|
||||
}
|
||||
|
||||
status = prf_plus->allocate_bytes(prf_plus,this->crypter_responder->get_block_size(this->crypter_responder),&(this->secrets.pi_key));
|
||||
if (status != SUCCESS)
|
||||
{
|
||||
this->logger->log(this->logger, ERROR | MORE, "Could not allocate bytes from prf+ for Sk_pi");
|
||||
return status;
|
||||
}
|
||||
this->logger->log_chunk(this->logger, PRIVATE, "Sk_pi secret", &(this->secrets.pi_key));
|
||||
|
||||
this->logger->log_chunk(this->logger, PRIVATE, "Secrets", &secrets_raw);
|
||||
|
||||
allocator_free_chunk(&secrets_raw);
|
||||
status = prf_plus->allocate_bytes(prf_plus,this->crypter_responder->get_block_size(this->crypter_responder),&(this->secrets.pr_key));
|
||||
if (status != SUCCESS)
|
||||
{
|
||||
this->logger->log(this->logger, ERROR | MORE, "Could not allocate bytes from prf+ for Sk_pr");
|
||||
return status;
|
||||
}
|
||||
this->logger->log_chunk(this->logger, PRIVATE, "Sk_pr secret", &(this->secrets.pr_key));
|
||||
|
||||
prf_plus->destroy(prf_plus);
|
||||
|
||||
|
@ -496,6 +575,7 @@ status_t create_delete_job (private_ike_sa_t *this)
|
|||
*/
|
||||
static void set_new_state (private_ike_sa_t *this, state_t *state)
|
||||
{
|
||||
this->logger->log(this->logger, ERROR, "Change current state %s to %s",mapping_find(ike_sa_state_m,this->current_state->get_state(this->current_state)),mapping_find(ike_sa_state_m,state->get_state(state)));
|
||||
this->current_state = state;
|
||||
}
|
||||
|
||||
|
@ -530,6 +610,7 @@ static void set_my_host (private_ike_sa_t *this, host_t *my_host)
|
|||
{
|
||||
if (this->me.host != NULL)
|
||||
{
|
||||
this ->logger->log(this->logger, CONTROL|MOST, "Destroy existing my host object");
|
||||
this->me.host->destroy(this->me.host);
|
||||
}
|
||||
this->me.host = my_host;
|
||||
|
@ -542,6 +623,7 @@ static void set_other_host (private_ike_sa_t *this, host_t *other_host)
|
|||
{
|
||||
if (this->other.host != NULL)
|
||||
{
|
||||
this ->logger->log(this->logger, CONTROL|MOST, "Destroy existing other host object");
|
||||
this->other.host->destroy(this->other.host);
|
||||
}
|
||||
this->other.host = other_host;
|
||||
|
@ -550,13 +632,110 @@ static void set_other_host (private_ike_sa_t *this, host_t *other_host)
|
|||
/**
|
||||
* Implementation of protected_ike_sa_t.set_prf.
|
||||
*/
|
||||
static void set_prf (private_ike_sa_t *this,prf_t *prf)
|
||||
static status_t create_transforms_from_proposal (private_ike_sa_t *this,proposal_substructure_t *proposal)
|
||||
{
|
||||
status_t status;
|
||||
u_int16_t encryption_algorithm;
|
||||
u_int16_t encryption_algorithm_key_length;
|
||||
u_int16_t integrity_algorithm;
|
||||
u_int16_t integrity_algorithm_key_length;
|
||||
u_int16_t pseudo_random_function;
|
||||
u_int16_t pseudo_random_function_key_length;
|
||||
|
||||
this ->logger->log(this->logger, CONTROL|MORE, "Going to create transform objects for proposal");
|
||||
|
||||
this ->logger->log(this->logger, CONTROL|MOST, "Get encryption transform type");
|
||||
status = proposal->get_info_for_transform_type(proposal,ENCRYPTION_ALGORITHM,&(encryption_algorithm),&(encryption_algorithm_key_length));
|
||||
if (status != SUCCESS)
|
||||
{
|
||||
this ->logger->log(this->logger, ERROR|MORE, "Could not get encryption transform type");
|
||||
return status;
|
||||
}
|
||||
this ->logger->log(this->logger, CONTROL|MORE, "Encryption algorithm: %s with keylength %d",mapping_find(encryption_algorithm_m,encryption_algorithm),encryption_algorithm_key_length);
|
||||
|
||||
this ->logger->log(this->logger, CONTROL|MOST, "Get integrity transform type");
|
||||
status = proposal->get_info_for_transform_type(proposal,INTEGRITY_ALGORITHM,&(integrity_algorithm),&(integrity_algorithm_key_length));
|
||||
if (status != SUCCESS)
|
||||
{
|
||||
this ->logger->log(this->logger, ERROR|MORE, "Could not get integrity transform type");
|
||||
return status;
|
||||
}
|
||||
this ->logger->log(this->logger, CONTROL|MORE, "integrity algorithm: %s with keylength %d",mapping_find(integrity_algorithm_m,integrity_algorithm),integrity_algorithm_key_length);
|
||||
|
||||
this ->logger->log(this->logger, CONTROL|MOST, "Get prf transform type");
|
||||
status = proposal->get_info_for_transform_type(proposal,PSEUDO_RANDOM_FUNCTION,&(pseudo_random_function),&(pseudo_random_function_key_length));
|
||||
if (status != SUCCESS)
|
||||
{
|
||||
this ->logger->log(this->logger, ERROR|MORE, "Could not prf transform type");
|
||||
return status;
|
||||
}
|
||||
this ->logger->log(this->logger, CONTROL|MORE, "prf: %s with keylength %d",mapping_find(pseudo_random_function_m,pseudo_random_function),pseudo_random_function_key_length);
|
||||
|
||||
|
||||
|
||||
|
||||
if (this->prf != NULL)
|
||||
{
|
||||
this ->logger->log(this->logger, CONTROL|MOST, "Destroy existing prf_t object");
|
||||
this->prf->destroy(this->prf);
|
||||
}
|
||||
this->prf = prf;
|
||||
this->prf = prf_create(pseudo_random_function);
|
||||
if (this->prf == NULL)
|
||||
{
|
||||
this ->logger->log(this->logger, ERROR|MORE, "prf does not seem to be supported!");
|
||||
return FAILED;
|
||||
}
|
||||
|
||||
if (this->crypter_initiator != NULL)
|
||||
{
|
||||
this ->logger->log(this->logger, CONTROL|MOST, "Destroy existing initiator crypter_t object");
|
||||
this->crypter_initiator->destroy(this->crypter_initiator);
|
||||
}
|
||||
this->crypter_initiator = crypter_create(encryption_algorithm,encryption_algorithm_key_length);
|
||||
if (this->crypter_initiator == NULL)
|
||||
{
|
||||
this ->logger->log(this->logger, ERROR|MORE, "encryption algorithm does not seem to be supported!");
|
||||
return FAILED;
|
||||
}
|
||||
|
||||
if (this->crypter_responder != NULL)
|
||||
{
|
||||
this ->logger->log(this->logger, CONTROL|MOST, "Destroy existing responder crypter_t object");
|
||||
this->crypter_responder->destroy(this->crypter_responder);
|
||||
}
|
||||
this->crypter_responder = crypter_create(encryption_algorithm,encryption_algorithm_key_length);
|
||||
if (this->crypter_responder == NULL)
|
||||
{
|
||||
this ->logger->log(this->logger, ERROR|MORE, "encryption algorithm does not seem to be supported!");
|
||||
return FAILED;
|
||||
}
|
||||
|
||||
if (this->signer_initiator != NULL)
|
||||
{
|
||||
this ->logger->log(this->logger, CONTROL|MOST, "Destroy existing initiator signer_t object");
|
||||
this->signer_initiator->destroy(this->signer_initiator);
|
||||
}
|
||||
this->signer_initiator = signer_create(integrity_algorithm);
|
||||
if (this->signer_initiator == NULL)
|
||||
{
|
||||
this ->logger->log(this->logger, ERROR|MORE, "integrity algorithm does not seem to be supported!");
|
||||
return FAILED;
|
||||
}
|
||||
|
||||
|
||||
if (this->signer_responder != NULL)
|
||||
{
|
||||
this ->logger->log(this->logger, CONTROL|MOST, "Destroy existing responder signer_t object");
|
||||
this->signer_responder->destroy(this->signer_responder);
|
||||
}
|
||||
this->signer_responder = signer_create(integrity_algorithm);
|
||||
if (this->signer_responder == NULL)
|
||||
{
|
||||
this ->logger->log(this->logger, ERROR|MORE, "integrity algorithm does not seem to be supported!");
|
||||
return FAILED;
|
||||
}
|
||||
|
||||
return SUCCESS;
|
||||
}
|
||||
|
||||
/**
|
||||
|
@ -775,7 +954,7 @@ ike_sa_t * ike_sa_create(ike_sa_id_t *ike_sa_id)
|
|||
this->protected.get_randomizer = (randomizer_t *(*) (protected_ike_sa_t *)) get_randomizer;
|
||||
this->protected.set_last_requested_message = (status_t (*) (protected_ike_sa_t *,message_t *)) set_last_requested_message;
|
||||
this->protected.set_last_responded_message = (status_t (*) (protected_ike_sa_t *,message_t *)) set_last_responded_message;
|
||||
this->protected.set_prf = (void (*) (protected_ike_sa_t *,prf_t *)) set_prf;
|
||||
this->protected.create_transforms_from_proposal = (status_t (*) (protected_ike_sa_t *,proposal_substructure_t *)) create_transforms_from_proposal;
|
||||
this->protected.set_new_state = (void (*) (protected_ike_sa_t *,state_t *)) set_new_state;
|
||||
|
||||
/* private functions */
|
||||
|
|
|
@ -26,6 +26,7 @@
|
|||
|
||||
#include <types.h>
|
||||
#include <encoding/message.h>
|
||||
#include <encoding/payloads/proposal_substructure.h>
|
||||
#include <sa/ike_sa_id.h>
|
||||
#include <utils/logger.h>
|
||||
#include <utils/randomizer.h>
|
||||
|
@ -171,14 +172,16 @@ struct protected_ike_sa_t {
|
|||
void (*set_other_host) (protected_ike_sa_t *this,host_t *other_host);
|
||||
|
||||
/**
|
||||
* Sets the internal stored prf_t object.
|
||||
* Creates all needed transform objects for given ike_sa_t using
|
||||
* the informations stored in a proposal_substructure_t object
|
||||
*
|
||||
* Allready existing object gets destroyed. object gets not cloned!
|
||||
* Allready existing objects get destroyed.
|
||||
*
|
||||
* @param this calling object
|
||||
* @param prf pointer to the new prf_t object
|
||||
* @param proposal proposal used to get informations for transform
|
||||
* objects (algorithms, key lengths, etc.)
|
||||
*/
|
||||
void (*set_prf) (protected_ike_sa_t *this,prf_t *prf);
|
||||
status_t (*create_transforms_from_proposal) (protected_ike_sa_t *this,proposal_substructure_t *proposal);
|
||||
|
||||
/**
|
||||
* Sets the last requested message.
|
||||
|
|
|
@ -136,12 +136,10 @@ static status_t process_message(private_ike_sa_init_requested_t *this, message_t
|
|||
{
|
||||
case SECURITY_ASSOCIATION:
|
||||
{
|
||||
sa_payload_t *sa_payload = (sa_payload_t*)payload;
|
||||
iterator_t *suggested_proposals;
|
||||
encryption_algorithm_t encryption_algorithm = ENCR_UNDEFINED;
|
||||
pseudo_random_function_t pseudo_random_function = PRF_UNDEFINED;
|
||||
integrity_algorithm_t integrity_algorithm = AUTH_UNDEFINED;
|
||||
prf_t *prf;
|
||||
sa_payload_t *sa_payload = (sa_payload_t*)payload;
|
||||
iterator_t *suggested_proposals;
|
||||
proposal_substructure_t *suggested_proposal;
|
||||
bool valid;
|
||||
|
||||
|
||||
/* get the list of suggested proposals */
|
||||
|
@ -153,27 +151,46 @@ static status_t process_message(private_ike_sa_init_requested_t *this, message_t
|
|||
return status;
|
||||
}
|
||||
|
||||
/* now let the configuration-manager return the transforms for the given proposal*/
|
||||
this->logger->log(this->logger, CONTROL | MOST, "Get transforms for suggested proposal");
|
||||
status = global_configuration_manager->get_transforms_for_host_and_proposals(global_configuration_manager,
|
||||
this->ike_sa->get_other_host(this->ike_sa), suggested_proposals, &encryption_algorithm,&pseudo_random_function,&integrity_algorithm);
|
||||
/* now let the configuration-manager check the selected proposals*/
|
||||
this->logger->log(this->logger, CONTROL | MOST, "Check suggested proposals");
|
||||
status = global_configuration_manager->check_selected_proposals_for_host(global_configuration_manager,
|
||||
this->ike_sa->get_other_host(this->ike_sa), suggested_proposals,&valid);
|
||||
if (status != SUCCESS)
|
||||
{
|
||||
this->logger->log(this->logger, ERROR | MORE, "Suggested proposals not supported!");
|
||||
this->logger->log(this->logger, ERROR | MORE, "Could not check suggested proposals!");
|
||||
suggested_proposals->destroy(suggested_proposals);
|
||||
payloads->destroy(payloads);
|
||||
return status;
|
||||
}
|
||||
suggested_proposals->destroy(suggested_proposals);
|
||||
|
||||
prf = prf_create(pseudo_random_function);
|
||||
if (prf == NULL)
|
||||
|
||||
if (!valid)
|
||||
{
|
||||
this->logger->log(this->logger, ERROR | MORE, "PRF type not supported");
|
||||
this->logger->log(this->logger, ERROR | MORE, "Suggested proposals not accepted!");
|
||||
payloads->destroy(payloads);
|
||||
return FAILED;
|
||||
return status;
|
||||
}
|
||||
|
||||
|
||||
/* let the ike_sa create their own transforms from proposal informations */
|
||||
suggested_proposals->reset(suggested_proposals);
|
||||
/* TODO check for true*/
|
||||
suggested_proposals->has_next(suggested_proposals);
|
||||
status = suggested_proposals->current(suggested_proposals,(void **)&suggested_proposal);
|
||||
suggested_proposals->destroy(suggested_proposals);
|
||||
if (status != SUCCESS)
|
||||
{
|
||||
this->logger->log(this->logger, ERROR | MORE, "Could not get first proposal");
|
||||
payloads->destroy(payloads);
|
||||
return status;
|
||||
}
|
||||
|
||||
status = this->ike_sa->create_transforms_from_proposal(this->ike_sa,suggested_proposal);
|
||||
if (status != SUCCESS)
|
||||
{
|
||||
this->logger->log(this->logger, ERROR | MORE, "Transform objects could not be created from selected proposal");
|
||||
payloads->destroy(payloads);
|
||||
return status;
|
||||
}
|
||||
this->ike_sa->set_prf(this->ike_sa,prf);
|
||||
|
||||
|
||||
/* ok, we have what we need for sa_payload */
|
||||
|
|
|
@ -223,10 +223,7 @@ static status_t process_message(private_responder_init_t *this, message_t *messa
|
|||
{
|
||||
sa_payload_t *sa_payload = (sa_payload_t*)payload;
|
||||
iterator_t *suggested_proposals, *accepted_proposals;
|
||||
encryption_algorithm_t encryption_algorithm = ENCR_UNDEFINED;
|
||||
pseudo_random_function_t pseudo_random_function = PRF_UNDEFINED;
|
||||
integrity_algorithm_t integrity_algorithm = AUTH_UNDEFINED;
|
||||
prf_t *prf;
|
||||
proposal_substructure_t *accepted_proposal;
|
||||
|
||||
status = this->proposals->create_iterator(this->proposals, &accepted_proposals, FALSE);
|
||||
if (status != SUCCESS)
|
||||
|
@ -260,12 +257,13 @@ static status_t process_message(private_responder_init_t *this, message_t *messa
|
|||
|
||||
/* iterators are not needed anymore */
|
||||
suggested_proposals->destroy(suggested_proposals);
|
||||
|
||||
|
||||
/* now let the configuration-manager return the transforms for the given proposal*/
|
||||
this->logger->log(this->logger, CONTROL | MOST, "Get transforms for accepted proposal");
|
||||
status = global_configuration_manager->get_transforms_for_host_and_proposals(global_configuration_manager,
|
||||
this->ike_sa->get_other_host(this->ike_sa), accepted_proposals, &encryption_algorithm,&pseudo_random_function,&integrity_algorithm);
|
||||
|
||||
/* let the ike_sa create their own transforms from proposal informations */
|
||||
accepted_proposals->reset(accepted_proposals);
|
||||
/* TODO check for true*/
|
||||
accepted_proposals->has_next(accepted_proposals);
|
||||
status = accepted_proposals->current(accepted_proposals,(void **)&accepted_proposal);
|
||||
if (status != SUCCESS)
|
||||
{
|
||||
this->logger->log(this->logger, ERROR | MORE, "Accepted proposals not supported?!");
|
||||
|
@ -273,16 +271,15 @@ static status_t process_message(private_responder_init_t *this, message_t *messa
|
|||
payloads->destroy(payloads);
|
||||
return status;
|
||||
}
|
||||
accepted_proposals->destroy(accepted_proposals);
|
||||
|
||||
prf = prf_create(pseudo_random_function);
|
||||
if (prf == NULL)
|
||||
status = this->ike_sa->create_transforms_from_proposal(this->ike_sa,accepted_proposal);
|
||||
accepted_proposals->destroy(accepted_proposals);
|
||||
if (status != SUCCESS)
|
||||
{
|
||||
this->logger->log(this->logger, ERROR | MORE, "PRF type not supported");
|
||||
this->logger->log(this->logger, ERROR | MORE, "Transform objects could not be created from selected proposal");
|
||||
payloads->destroy(payloads);
|
||||
return FAILED;
|
||||
return status;
|
||||
}
|
||||
this->ike_sa->set_prf(this->ike_sa,prf);
|
||||
|
||||
this->logger->log(this->logger, CONTROL | MORE, "SA Payload processed");
|
||||
/* ok, we have what we need for sa_payload (proposals are stored in this->proposals)*/
|
||||
|
@ -397,8 +394,6 @@ static status_t process_message(private_responder_init_t *this, message_t *messa
|
|||
this->logger->log(this->logger, ERROR | MORE, "Secrets could not be computed!");
|
||||
return status;
|
||||
}
|
||||
|
||||
|
||||
|
||||
/* set up the reply */
|
||||
status = this->ike_sa->build_message(this->ike_sa, IKE_SA_INIT, FALSE, &response);
|
||||
|
|
|
@ -45,3 +45,20 @@ mapping_t encryption_algorithm_m[] = {
|
|||
{ENCR_AES_CTR, "ENCR_AES_CTR"},
|
||||
{MAPPING_END, NULL}
|
||||
};
|
||||
|
||||
/*
|
||||
* Described in header.
|
||||
*/
|
||||
crypter_t *crypter_create(encryption_algorithm_t encryption_algorithm,size_t blocksize)
|
||||
{
|
||||
switch (encryption_algorithm)
|
||||
{
|
||||
case ENCR_AES_CBC:
|
||||
{
|
||||
return (crypter_t*)aes_cbc_crypter_create(blocksize);
|
||||
|
||||
}
|
||||
default:
|
||||
return NULL;
|
||||
}
|
||||
}
|
||||
|
|
|
@ -118,10 +118,11 @@ struct crypter_t {
|
|||
* @brief Generic constructor for crypter_t objects.
|
||||
*
|
||||
* @param encryption_algorithm Algorithm to use for crypter
|
||||
* @param blocksize block size in bytes
|
||||
* @return
|
||||
* - crypter_t if successfully
|
||||
* - NULL if out of ressources or crypter not supported
|
||||
*/
|
||||
crypter_t *crypter_create(encryption_algorithm_t encryption_algorithm);
|
||||
crypter_t *crypter_create(encryption_algorithm_t encryption_algorithm, size_t blocksize);
|
||||
|
||||
#endif /*CRYPTER_H_*/
|
||||
|
|
|
@ -148,6 +148,7 @@ static logger_t *create_logger(private_logger_manager_t *this, logger_context_t
|
|||
logger_level |= FULL;
|
||||
break;
|
||||
case IKE_SA:
|
||||
logger_level |= FULL;
|
||||
case IKE_SA_MANAGER:
|
||||
case MESSAGE:
|
||||
logger_level |= ALL;
|
||||
|
|
Loading…
Reference in New Issue