diff --git a/Source/charon/config/configuration_manager.c b/Source/charon/config/configuration_manager.c index a26409b58..7468222e8 100644 --- a/Source/charon/config/configuration_manager.c +++ b/Source/charon/config/configuration_manager.c @@ -237,7 +237,7 @@ static status_t get_proposals_for_host(private_configuration_manager_t *this, ho proposal->destroy(proposal); return OUT_OF_RES; } - transform->set_transform_type(transform, INTEGRITIY_ALGORITHM); + transform->set_transform_type(transform, INTEGRITY_ALGORITHM); transform->set_transform_id(transform, AUTH_HMAC_MD5_96); attribute = transform_attribute_create(); @@ -320,102 +320,17 @@ static status_t select_proposals_for_host(private_configuration_manager_t *this, } /** - * Implements function configuration_manager_t.get_transforms_for_host_and_proposals. + * Implements function configuration_manager_t.check_selected_proposals_for_host. */ -static status_t get_transforms_for_host_and_proposals (private_configuration_manager_t *this, host_t *host, iterator_t *proposals,encryption_algorithm_t *encryption_algorithm,pseudo_random_function_t *pseudo_random_function, integrity_algorithm_t *integrity_algorithm) +static status_t check_selected_proposals_for_host (private_configuration_manager_t *this, host_t *host, iterator_t *proposals,bool *valid) { /* * Currently the given proposals are not checked if they are valid for specific host! * - * The first proposal is taken and the appropriate transform objects are created (only if they are supported) + * The first proposal is taken */ - encryption_algorithm_t selected_encryption_algorithm = ENCR_UNDEFINED; - pseudo_random_function_t selected_pseudo_random_function = PRF_UNDEFINED; - integrity_algorithm_t selected_integrity_algorithm = AUTH_UNDEFINED; - proposal_substructure_t *proposal; - iterator_t *transforms; - status_t status; - - this->logger->log(this->logger,CONTROL|MORE, "Going to get transforms for given proposal"); - - if (!proposals->has_next(proposals)) - { - this->logger->log(this->logger,ERROR | MORE, "No proposal available"); - return FAILED; - } - - status = proposals->current(proposals,(void **) &(proposal)); - if (status != SUCCESS) - { - this->logger->log(this->logger,ERROR, "Fatal error: could not get first proposal from iterator"); - return status; - } - - status = proposal->create_transform_substructure_iterator(proposal,&transforms,TRUE); - if (status != SUCCESS) - { - this->logger->log(this->logger,ERROR, "Fatal error: could not create iterator of transforms"); - return status; - } - - while (transforms->has_next(transforms)) - { - transform_substructure_t *current_transform; - transform_type_t transform_type; - u_int16_t transform_id; - - status = transforms->current(transforms,(void **) &(current_transform)); - if (status != SUCCESS) - { - this->logger->log(this->logger,ERROR, "Fatal error: could not get current transform substructure object"); - transforms->destroy(transforms); - return status; - } - - transform_type = current_transform->get_transform_type(current_transform); - transform_id = current_transform->get_transform_id(current_transform); - - this->logger->log(this->logger,CONTROL | MOST, "Going to process transform of type %s",mapping_find(transform_type_m,transform_type)); - switch (transform_type) - { - case ENCRYPTION_ALGORITHM: - { - this->logger->log(this->logger,CONTROL | MORE, "Encryption algorithm: %s",mapping_find(encryption_algorithm_m,transform_id)); - selected_encryption_algorithm = transform_id; - break; - } - case PSEUDO_RANDOM_FUNCTION: - { - this->logger->log(this->logger,CONTROL | MORE, "Create transform object for PRF of type %s",mapping_find(pseudo_random_function_m,transform_id)); - selected_pseudo_random_function = transform_id; - break; - } - case INTEGRITIY_ALGORITHM: - { - this->logger->log(this->logger,CONTROL | MORE, "Integrity algorithm: %s",mapping_find(integrity_algorithm_m,transform_id)); - selected_integrity_algorithm = transform_id; - break; - } - case DIFFIE_HELLMAN_GROUP: - { - this->logger->log(this->logger,CONTROL | MORE, "DH Group: %s",mapping_find(diffie_hellman_group_m,transform_id)); - break; - } - default: - { - this->logger->log(this->logger,ERROR | MORE, "Transform type not supported!"); - transforms->destroy(transforms); - return FAILED; - } - } - } - - transforms->destroy(transforms); - - *encryption_algorithm = selected_encryption_algorithm; - *pseudo_random_function = selected_pseudo_random_function; - *integrity_algorithm = selected_integrity_algorithm; + this->logger->log(this->logger,CONTROL|MORE, "Going to check selected proposals"); return SUCCESS; } @@ -472,7 +387,7 @@ configuration_manager_t *configuration_manager_create() this->public.get_dh_group_number = (status_t(*)(configuration_manager_t*,char*,u_int16_t *, u_int16_t))get_dh_group_number; this->public.get_proposals_for_host = (status_t(*)(configuration_manager_t*,host_t*,iterator_t*))get_proposals_for_host; this->public.select_proposals_for_host = (status_t(*)(configuration_manager_t*,host_t*,iterator_t*,iterator_t*))select_proposals_for_host; - this->public.get_transforms_for_host_and_proposals = (status_t (*) (configuration_manager_t *, host_t *, iterator_t *,encryption_algorithm_t *,pseudo_random_function_t *, integrity_algorithm_t *)) get_transforms_for_host_and_proposals; + this->public.check_selected_proposals_for_host = (status_t (*) (configuration_manager_t *, host_t *, iterator_t *,bool *)) check_selected_proposals_for_host; this->public.is_dh_group_allowed_for_host = (status_t(*)(configuration_manager_t*,host_t*,diffie_hellman_group_t,bool*)) is_dh_group_allowed_for_host; /* private variables */ diff --git a/Source/charon/config/configuration_manager.h b/Source/charon/config/configuration_manager.h index fe0e5cc43..74be771f3 100644 --- a/Source/charon/config/configuration_manager.h +++ b/Source/charon/config/configuration_manager.h @@ -137,23 +137,24 @@ struct configuration_manager_t { status_t (*select_proposals_for_host) (configuration_manager_t *this, host_t *host, iterator_t *in, iterator_t *out); /** - * Returns the transforms of type crypter_t, signer_t and prf_t as specified in given proposal. + * Checks if the selected proposals of a remote hosts are valid. * * - * @param this calling object - * @param host host information - * @param proposals iterator with selected proposals - * @param[out] encryption_algorithm - * @param[out] pseudo_random_function - * @param[out] integrity_algorithm + * @param this calling object + * @param host host information + * @param proposals iterator with selected proposals + * @param[out] valid TRUE if selected proposals are accepted * - * @return - * - OUT_OF_RES - * - FAILED - * - NOT_FOUND (not yet implemented) - * - SUCCESS + * @return + * - OUT_OF_RES + * - FAILED + * - NOT_FOUND (not yet implemented) + * - SUCCESS */ - status_t (*get_transforms_for_host_and_proposals) (configuration_manager_t *this, host_t *host, iterator_t *proposals,encryption_algorithm_t *encryption_algorithm,pseudo_random_function_t *pseudo_random_function, integrity_algorithm_t *integrity_algorithm); + status_t (*check_selected_proposals_for_host) (configuration_manager_t *this, + host_t *host, + iterator_t *proposals, + bool *valid); /** * Checks if a given dh_group number is allowed for a specific host diff --git a/Source/charon/encoding/payloads/proposal_substructure.c b/Source/charon/encoding/payloads/proposal_substructure.c index ab575d425..b16fb9a85 100644 --- a/Source/charon/encoding/payloads/proposal_substructure.c +++ b/Source/charon/encoding/payloads/proposal_substructure.c @@ -327,6 +327,41 @@ static chunk_t get_spi (private_proposal_substructure_t *this) return spi; } +static status_t get_info_for_transform_type (private_proposal_substructure_t *this,transform_type_t type, u_int16_t *transform_id, u_int16_t *key_length) +{ + iterator_t *iterator; + status_t status; + u_int16_t found_transform_id; + u_int16_t found_key_length; + + status = this->transforms->create_iterator(this->transforms,&iterator,TRUE); + if (status != SUCCESS) + { + return status; + } + while (iterator->has_next(iterator)) + { + transform_substructure_t *current_transform; + status = iterator->current(iterator,(void **) ¤t_transform); + if (status != SUCCESS) + { + break; + } + if (current_transform->get_transform_type(current_transform) == type) + { + /* now get data for specific type */ + found_transform_id = current_transform->get_transform_id(current_transform); + status = current_transform->get_key_length(current_transform,&found_key_length); + *transform_id = found_transform_id; + *key_length = found_key_length; + iterator->destroy(iterator); + return status; + } + } + iterator->destroy(iterator); + return FAILED; +} + /** * Implements private_proposal_substructure_t's compute_length function. * See #private_proposal_substructure_s.compute_length for description. @@ -483,11 +518,13 @@ proposal_substructure_t *proposal_substructure_create() this->public.get_proposal_number = (u_int8_t (*) (proposal_substructure_t *)) get_proposal_number; this->public.set_protocol_id = (status_t (*) (proposal_substructure_t *,u_int8_t))set_protocol_id; this->public.get_protocol_id = (u_int8_t (*) (proposal_substructure_t *)) get_protocol_id; + this->public.get_info_for_transform_type = (status_t (*) (proposal_substructure_t *,transform_type_t,u_int16_t *, u_int16_t *))get_info_for_transform_type; this->public.set_spi = (status_t (*) (proposal_substructure_t *,chunk_t))set_spi; this->public.get_spi = (chunk_t (*) (proposal_substructure_t *)) get_spi; this->public.clone = (status_t (*) (proposal_substructure_t *, proposal_substructure_t **)) clone; this->public.destroy = (status_t (*) (proposal_substructure_t *)) destroy; + /* private functions */ this->compute_length = compute_length; diff --git a/Source/charon/encoding/payloads/proposal_substructure.h b/Source/charon/encoding/payloads/proposal_substructure.h index d6f90e403..ae54ef1d1 100644 --- a/Source/charon/encoding/payloads/proposal_substructure.h +++ b/Source/charon/encoding/payloads/proposal_substructure.h @@ -125,6 +125,21 @@ struct proposal_substructure_t { * @return protocol id of current proposal substructure. */ u_int8_t (*get_protocol_id) (proposal_substructure_t *this); + + /** + * @brief Get informations for a specific transform type. + * + * @param this calling proposal_substructure_t object + * @param type type to get informations for + * @param transform_id transform id of the specific type + * @param key_length key length of the specific key length transform attribute + * @return + * - SUCCESS if transform type is part of this proposal and + * all data (incl. key length) could be fetched + * - FAILED if transform type is not part of this proposal + * - OUT_OF_RES + */ + status_t (*get_info_for_transform_type) (proposal_substructure_t *this,transform_type_t type, u_int16_t *transform_id, u_int16_t *key_length); /** diff --git a/Source/charon/encoding/payloads/transform_substructure.c b/Source/charon/encoding/payloads/transform_substructure.c index 586ce2867..ff08f6c00 100644 --- a/Source/charon/encoding/payloads/transform_substructure.c +++ b/Source/charon/encoding/payloads/transform_substructure.c @@ -91,7 +91,7 @@ mapping_t transform_type_m[] = { {UNDEFINED_TRANSFORM_TYPE, "UNDEFINED_TRANSFORM_TYPE"}, {ENCRYPTION_ALGORITHM, "ENCRYPTION_ALGORITHM"}, {PSEUDO_RANDOM_FUNCTION, "PSEUDO_RANDOM_FUNCTION"}, - {INTEGRITIY_ALGORITHM, "INTEGRITIY_ALGORITHM"}, + {INTEGRITY_ALGORITHM, "INTEGRITY_ALGORITHM"}, {DIFFIE_HELLMAN_GROUP, "DIFFIE_HELLMAN_GROUP"}, {EXTENDED_SEQUENCE_NUNBERS, "EXTENDED_SEQUENCE_NUNBERS"}, {MAPPING_END, NULL} @@ -177,7 +177,7 @@ static status_t verify(private_transform_substructure_t *this) } break; } - case INTEGRITIY_ALGORITHM: + case INTEGRITY_ALGORITHM: { if ((this->transform_id < AUTH_HMAC_MD5_96) || (this->transform_id > AUTH_AES_XCBC_96)) { @@ -442,6 +442,43 @@ static status_t clone(private_transform_substructure_t *this,transform_substruct } +/** + * Implementation of transform_substructure_t.get_key_length. + */ +static status_t get_key_length(private_transform_substructure_t *this, u_int16_t *key_length) +{ + iterator_t *attributes; + status_t status; + + status = this->attributes->create_iterator(this->attributes,&attributes,TRUE); + if (status != SUCCESS) + { + return status; + } + + while (attributes->has_next(attributes)) + { + transform_attribute_t *current_attribute; + status = attributes->current(attributes,(void **) ¤t_attribute); + if (status != SUCCESS) + { + attributes->destroy(attributes); + return status; + } + if (current_attribute->get_attribute_type(current_attribute) == KEY_LENGTH) + { + *key_length = current_attribute->get_value(current_attribute); + attributes->destroy(attributes); + return SUCCESS; + } + + } + attributes->destroy(attributes); + + return FAILED; +} + + /** * Implements payload_t's and transform_substructure_t's destroy function. * See #payload_s.destroy or transform_substructure_s.destroy for description. @@ -494,6 +531,7 @@ transform_substructure_t *transform_substructure_create() this->public.get_transform_type = (u_int8_t (*) (transform_substructure_t *)) get_transform_type; this->public.set_transform_id = (status_t (*) (transform_substructure_t *,u_int16_t)) set_transform_id; this->public.get_transform_id = (u_int16_t (*) (transform_substructure_t *)) get_transform_id; + this->public.get_key_length = (status_t (*) (transform_substructure_t *,u_int16_t *)) get_key_length; this->public.clone = (status_t (*) (transform_substructure_t *,transform_substructure_t **)) clone; this->public.destroy = (status_t (*) (transform_substructure_t *)) destroy; diff --git a/Source/charon/encoding/payloads/transform_substructure.h b/Source/charon/encoding/payloads/transform_substructure.h index 8d49874db..51119d275 100644 --- a/Source/charon/encoding/payloads/transform_substructure.h +++ b/Source/charon/encoding/payloads/transform_substructure.h @@ -56,7 +56,7 @@ enum transform_type_t { UNDEFINED_TRANSFORM_TYPE = 241, ENCRYPTION_ALGORITHM = 1, PSEUDO_RANDOM_FUNCTION = 2, - INTEGRITIY_ALGORITHM = 3, + INTEGRITY_ALGORITHM = 3, DIFFIE_HELLMAN_GROUP = 4, EXTENDED_SEQUENCE_NUNBERS = 5 }; @@ -180,6 +180,19 @@ struct transform_substructure_t { * @return Transform id of current transform substructure. */ u_int16_t (*get_transform_id) (transform_substructure_t *this); + + /** + * @brief get transform id of the current transform. + * + * @param this calling transform_substructure_t object + * @param key_length The key length is written to this location + * @return + * - SUCCESS if a key length attribute is contained + * - FAILED if no key length attribute is part of this + * transform or key length uses more then 16 bit! + * - OUT_OF_RES + */ + status_t (*get_key_length) (transform_substructure_t *this,u_int16_t *key_length); /** * @brief Clones an transform_substructure_t object. diff --git a/Source/charon/sa/ike_sa.c b/Source/charon/sa/ike_sa.c index 79620f29c..914da1e74 100644 --- a/Source/charon/sa/ike_sa.c +++ b/Source/charon/sa/ike_sa.c @@ -32,6 +32,7 @@ #include #include #include +#include #include #include #include @@ -348,6 +349,9 @@ static ike_sa_id_t* get_id(private_ike_sa_t *this) return this->ike_sa_id; } +/** + * @brief implements function protected_ike_sa_t.compute_secrets + */ static status_t compute_secrets (private_ike_sa_t *this,chunk_t dh_shared_secret,chunk_t initiator_nonce, chunk_t responder_nonce) { chunk_t concatenated_nonces; @@ -357,8 +361,8 @@ static status_t compute_secrets (private_ike_sa_t *this,chunk_t dh_shared_secret u_int64_t initiator_spi; u_int64_t responder_spi; prf_plus_t *prf_plus; - chunk_t secrets_raw; - + + /* * TODO check length for specific prf's */ @@ -398,6 +402,7 @@ static status_t compute_secrets (private_ike_sa_t *this,chunk_t dh_shared_secret return FAILED; } + /* first is initiator */ memcpy(prf_plus_seed.ptr,initiator_nonce.ptr,initiator_nonce.len); /* second is responder */ @@ -409,8 +414,8 @@ static status_t compute_secrets (private_ike_sa_t *this,chunk_t dh_shared_secret responder_spi = this->ike_sa_id->get_responder_spi(this->ike_sa_id); memcpy(prf_plus_seed.ptr + initiator_nonce.len + responder_nonce.len + 8,&responder_spi,8); - this->logger->log_chunk(this->logger, PRIVATE, "Keyseed", &skeyseed); - this->logger->log_chunk(this->logger, PRIVATE, "PRF+ Seed", &prf_plus_seed); + this->logger->log_chunk(this->logger, PRIVATE | MORE, "Keyseed", &skeyseed); + this->logger->log_chunk(this->logger, PRIVATE | MORE, "PRF+ Seed", &prf_plus_seed); this->logger->log(this->logger, CONTROL | MOST, "Set new key of prf object"); status = this->prf->set_key(this->prf,skeyseed); @@ -431,11 +436,85 @@ static status_t compute_secrets (private_ike_sa_t *this,chunk_t dh_shared_secret return FAILED; } - prf_plus->allocate_bytes(prf_plus,100,&secrets_raw); + status = prf_plus->allocate_bytes(prf_plus,this->prf->get_block_size(this->prf),&(this->secrets.d_key)); + if (status != SUCCESS) + { + this->logger->log(this->logger, ERROR | MORE, "Could not allocate bytes from prf+ for Sk_d"); + return status; + } + this->logger->log_chunk(this->logger, PRIVATE, "Sk_d secret", &(this->secrets.d_key)); + + status = prf_plus->allocate_bytes(prf_plus,this->crypter_initiator->get_block_size(this->crypter_initiator),&(this->secrets.ei_key)); + if (status != SUCCESS) + { + this->logger->log(this->logger, ERROR | MORE, "Could not allocate bytes from prf+ for Sk_ei"); + return status; + } + this->logger->log_chunk(this->logger, PRIVATE, "Sk_ei secret", &(this->secrets.ei_key)); + status = this->crypter_initiator->set_key(this->crypter_initiator,this->secrets.ei_key); + if (status != SUCCESS) + { + this->logger->log(this->logger, ERROR | MORE, "Could not set encryption key initiator crypter"); + return status; + } + + status = prf_plus->allocate_bytes(prf_plus,this->crypter_responder->get_block_size(this->crypter_responder),&(this->secrets.er_key)); + if (status != SUCCESS) + { + this->logger->log(this->logger, ERROR | MORE, "Could not allocate bytes from prf+ for Sk_er"); + return status; + } + this->logger->log_chunk(this->logger, PRIVATE, "Sk_er secret", &(this->secrets.er_key)); + status = this->crypter_responder->set_key(this->crypter_responder,this->secrets.er_key); + if (status != SUCCESS) + { + this->logger->log(this->logger, ERROR | MORE, "Could not set encryption key responder crypter"); + return status; + } + + status = prf_plus->allocate_bytes(prf_plus,this->signer_initiator->get_block_size(this->signer_initiator),&(this->secrets.ai_key)); + if (status != SUCCESS) + { + this->logger->log(this->logger, ERROR | MORE, "Could not allocate bytes from prf+ for Sk_ai"); + return status; + } + this->logger->log_chunk(this->logger, PRIVATE, "Sk_ai secret", &(this->secrets.ai_key)); + status = this->signer_initiator->set_key(this->signer_initiator,this->secrets.ai_key); + if (status != SUCCESS) + { + this->logger->log(this->logger, ERROR | MORE, "Could not set key for initiator signer"); + return status; + } + + status = prf_plus->allocate_bytes(prf_plus,this->signer_responder->get_block_size(this->signer_responder),&(this->secrets.ar_key)); + if (status != SUCCESS) + { + this->logger->log(this->logger, ERROR | MORE, "Could not allocate bytes from prf+ for Sk_ar"); + return status; + } + this->logger->log_chunk(this->logger, PRIVATE, "Sk_ar secret", &(this->secrets.ar_key)); + status = this->signer_responder->set_key(this->signer_responder,this->secrets.ar_key); + if (status != SUCCESS) + { + this->logger->log(this->logger, ERROR | MORE, "Could not set key for responder signer"); + return status; + } + + status = prf_plus->allocate_bytes(prf_plus,this->crypter_responder->get_block_size(this->crypter_responder),&(this->secrets.pi_key)); + if (status != SUCCESS) + { + this->logger->log(this->logger, ERROR | MORE, "Could not allocate bytes from prf+ for Sk_pi"); + return status; + } + this->logger->log_chunk(this->logger, PRIVATE, "Sk_pi secret", &(this->secrets.pi_key)); - this->logger->log_chunk(this->logger, PRIVATE, "Secrets", &secrets_raw); - - allocator_free_chunk(&secrets_raw); + status = prf_plus->allocate_bytes(prf_plus,this->crypter_responder->get_block_size(this->crypter_responder),&(this->secrets.pr_key)); + if (status != SUCCESS) + { + this->logger->log(this->logger, ERROR | MORE, "Could not allocate bytes from prf+ for Sk_pr"); + return status; + } + this->logger->log_chunk(this->logger, PRIVATE, "Sk_pr secret", &(this->secrets.pr_key)); prf_plus->destroy(prf_plus); @@ -496,6 +575,7 @@ status_t create_delete_job (private_ike_sa_t *this) */ static void set_new_state (private_ike_sa_t *this, state_t *state) { + this->logger->log(this->logger, ERROR, "Change current state %s to %s",mapping_find(ike_sa_state_m,this->current_state->get_state(this->current_state)),mapping_find(ike_sa_state_m,state->get_state(state))); this->current_state = state; } @@ -530,6 +610,7 @@ static void set_my_host (private_ike_sa_t *this, host_t *my_host) { if (this->me.host != NULL) { + this ->logger->log(this->logger, CONTROL|MOST, "Destroy existing my host object"); this->me.host->destroy(this->me.host); } this->me.host = my_host; @@ -542,6 +623,7 @@ static void set_other_host (private_ike_sa_t *this, host_t *other_host) { if (this->other.host != NULL) { + this ->logger->log(this->logger, CONTROL|MOST, "Destroy existing other host object"); this->other.host->destroy(this->other.host); } this->other.host = other_host; @@ -550,13 +632,110 @@ static void set_other_host (private_ike_sa_t *this, host_t *other_host) /** * Implementation of protected_ike_sa_t.set_prf. */ -static void set_prf (private_ike_sa_t *this,prf_t *prf) +static status_t create_transforms_from_proposal (private_ike_sa_t *this,proposal_substructure_t *proposal) { + status_t status; + u_int16_t encryption_algorithm; + u_int16_t encryption_algorithm_key_length; + u_int16_t integrity_algorithm; + u_int16_t integrity_algorithm_key_length; + u_int16_t pseudo_random_function; + u_int16_t pseudo_random_function_key_length; + + this ->logger->log(this->logger, CONTROL|MORE, "Going to create transform objects for proposal"); + + this ->logger->log(this->logger, CONTROL|MOST, "Get encryption transform type"); + status = proposal->get_info_for_transform_type(proposal,ENCRYPTION_ALGORITHM,&(encryption_algorithm),&(encryption_algorithm_key_length)); + if (status != SUCCESS) + { + this ->logger->log(this->logger, ERROR|MORE, "Could not get encryption transform type"); + return status; + } + this ->logger->log(this->logger, CONTROL|MORE, "Encryption algorithm: %s with keylength %d",mapping_find(encryption_algorithm_m,encryption_algorithm),encryption_algorithm_key_length); + + this ->logger->log(this->logger, CONTROL|MOST, "Get integrity transform type"); + status = proposal->get_info_for_transform_type(proposal,INTEGRITY_ALGORITHM,&(integrity_algorithm),&(integrity_algorithm_key_length)); + if (status != SUCCESS) + { + this ->logger->log(this->logger, ERROR|MORE, "Could not get integrity transform type"); + return status; + } + this ->logger->log(this->logger, CONTROL|MORE, "integrity algorithm: %s with keylength %d",mapping_find(integrity_algorithm_m,integrity_algorithm),integrity_algorithm_key_length); + + this ->logger->log(this->logger, CONTROL|MOST, "Get prf transform type"); + status = proposal->get_info_for_transform_type(proposal,PSEUDO_RANDOM_FUNCTION,&(pseudo_random_function),&(pseudo_random_function_key_length)); + if (status != SUCCESS) + { + this ->logger->log(this->logger, ERROR|MORE, "Could not prf transform type"); + return status; + } + this ->logger->log(this->logger, CONTROL|MORE, "prf: %s with keylength %d",mapping_find(pseudo_random_function_m,pseudo_random_function),pseudo_random_function_key_length); + + + + if (this->prf != NULL) { + this ->logger->log(this->logger, CONTROL|MOST, "Destroy existing prf_t object"); this->prf->destroy(this->prf); } - this->prf = prf; + this->prf = prf_create(pseudo_random_function); + if (this->prf == NULL) + { + this ->logger->log(this->logger, ERROR|MORE, "prf does not seem to be supported!"); + return FAILED; + } + + if (this->crypter_initiator != NULL) + { + this ->logger->log(this->logger, CONTROL|MOST, "Destroy existing initiator crypter_t object"); + this->crypter_initiator->destroy(this->crypter_initiator); + } + this->crypter_initiator = crypter_create(encryption_algorithm,encryption_algorithm_key_length); + if (this->crypter_initiator == NULL) + { + this ->logger->log(this->logger, ERROR|MORE, "encryption algorithm does not seem to be supported!"); + return FAILED; + } + + if (this->crypter_responder != NULL) + { + this ->logger->log(this->logger, CONTROL|MOST, "Destroy existing responder crypter_t object"); + this->crypter_responder->destroy(this->crypter_responder); + } + this->crypter_responder = crypter_create(encryption_algorithm,encryption_algorithm_key_length); + if (this->crypter_responder == NULL) + { + this ->logger->log(this->logger, ERROR|MORE, "encryption algorithm does not seem to be supported!"); + return FAILED; + } + + if (this->signer_initiator != NULL) + { + this ->logger->log(this->logger, CONTROL|MOST, "Destroy existing initiator signer_t object"); + this->signer_initiator->destroy(this->signer_initiator); + } + this->signer_initiator = signer_create(integrity_algorithm); + if (this->signer_initiator == NULL) + { + this ->logger->log(this->logger, ERROR|MORE, "integrity algorithm does not seem to be supported!"); + return FAILED; + } + + + if (this->signer_responder != NULL) + { + this ->logger->log(this->logger, CONTROL|MOST, "Destroy existing responder signer_t object"); + this->signer_responder->destroy(this->signer_responder); + } + this->signer_responder = signer_create(integrity_algorithm); + if (this->signer_responder == NULL) + { + this ->logger->log(this->logger, ERROR|MORE, "integrity algorithm does not seem to be supported!"); + return FAILED; + } + + return SUCCESS; } /** @@ -775,7 +954,7 @@ ike_sa_t * ike_sa_create(ike_sa_id_t *ike_sa_id) this->protected.get_randomizer = (randomizer_t *(*) (protected_ike_sa_t *)) get_randomizer; this->protected.set_last_requested_message = (status_t (*) (protected_ike_sa_t *,message_t *)) set_last_requested_message; this->protected.set_last_responded_message = (status_t (*) (protected_ike_sa_t *,message_t *)) set_last_responded_message; - this->protected.set_prf = (void (*) (protected_ike_sa_t *,prf_t *)) set_prf; + this->protected.create_transforms_from_proposal = (status_t (*) (protected_ike_sa_t *,proposal_substructure_t *)) create_transforms_from_proposal; this->protected.set_new_state = (void (*) (protected_ike_sa_t *,state_t *)) set_new_state; /* private functions */ diff --git a/Source/charon/sa/ike_sa.h b/Source/charon/sa/ike_sa.h index aa6c0d50f..8ea445b4e 100644 --- a/Source/charon/sa/ike_sa.h +++ b/Source/charon/sa/ike_sa.h @@ -26,6 +26,7 @@ #include #include +#include #include #include #include @@ -171,14 +172,16 @@ struct protected_ike_sa_t { void (*set_other_host) (protected_ike_sa_t *this,host_t *other_host); /** - * Sets the internal stored prf_t object. + * Creates all needed transform objects for given ike_sa_t using + * the informations stored in a proposal_substructure_t object * - * Allready existing object gets destroyed. object gets not cloned! + * Allready existing objects get destroyed. * * @param this calling object - * @param prf pointer to the new prf_t object + * @param proposal proposal used to get informations for transform + * objects (algorithms, key lengths, etc.) */ - void (*set_prf) (protected_ike_sa_t *this,prf_t *prf); + status_t (*create_transforms_from_proposal) (protected_ike_sa_t *this,proposal_substructure_t *proposal); /** * Sets the last requested message. diff --git a/Source/charon/sa/states/ike_sa_init_requested.c b/Source/charon/sa/states/ike_sa_init_requested.c index 510697720..fd8032695 100644 --- a/Source/charon/sa/states/ike_sa_init_requested.c +++ b/Source/charon/sa/states/ike_sa_init_requested.c @@ -136,12 +136,10 @@ static status_t process_message(private_ike_sa_init_requested_t *this, message_t { case SECURITY_ASSOCIATION: { - sa_payload_t *sa_payload = (sa_payload_t*)payload; - iterator_t *suggested_proposals; - encryption_algorithm_t encryption_algorithm = ENCR_UNDEFINED; - pseudo_random_function_t pseudo_random_function = PRF_UNDEFINED; - integrity_algorithm_t integrity_algorithm = AUTH_UNDEFINED; - prf_t *prf; + sa_payload_t *sa_payload = (sa_payload_t*)payload; + iterator_t *suggested_proposals; + proposal_substructure_t *suggested_proposal; + bool valid; /* get the list of suggested proposals */ @@ -153,27 +151,46 @@ static status_t process_message(private_ike_sa_init_requested_t *this, message_t return status; } - /* now let the configuration-manager return the transforms for the given proposal*/ - this->logger->log(this->logger, CONTROL | MOST, "Get transforms for suggested proposal"); - status = global_configuration_manager->get_transforms_for_host_and_proposals(global_configuration_manager, - this->ike_sa->get_other_host(this->ike_sa), suggested_proposals, &encryption_algorithm,&pseudo_random_function,&integrity_algorithm); + /* now let the configuration-manager check the selected proposals*/ + this->logger->log(this->logger, CONTROL | MOST, "Check suggested proposals"); + status = global_configuration_manager->check_selected_proposals_for_host(global_configuration_manager, + this->ike_sa->get_other_host(this->ike_sa), suggested_proposals,&valid); if (status != SUCCESS) { - this->logger->log(this->logger, ERROR | MORE, "Suggested proposals not supported!"); + this->logger->log(this->logger, ERROR | MORE, "Could not check suggested proposals!"); suggested_proposals->destroy(suggested_proposals); payloads->destroy(payloads); return status; } - suggested_proposals->destroy(suggested_proposals); - - prf = prf_create(pseudo_random_function); - if (prf == NULL) + + if (!valid) { - this->logger->log(this->logger, ERROR | MORE, "PRF type not supported"); + this->logger->log(this->logger, ERROR | MORE, "Suggested proposals not accepted!"); payloads->destroy(payloads); - return FAILED; + return status; + } + + + /* let the ike_sa create their own transforms from proposal informations */ + suggested_proposals->reset(suggested_proposals); + /* TODO check for true*/ + suggested_proposals->has_next(suggested_proposals); + status = suggested_proposals->current(suggested_proposals,(void **)&suggested_proposal); + suggested_proposals->destroy(suggested_proposals); + if (status != SUCCESS) + { + this->logger->log(this->logger, ERROR | MORE, "Could not get first proposal"); + payloads->destroy(payloads); + return status; + } + + status = this->ike_sa->create_transforms_from_proposal(this->ike_sa,suggested_proposal); + if (status != SUCCESS) + { + this->logger->log(this->logger, ERROR | MORE, "Transform objects could not be created from selected proposal"); + payloads->destroy(payloads); + return status; } - this->ike_sa->set_prf(this->ike_sa,prf); /* ok, we have what we need for sa_payload */ diff --git a/Source/charon/sa/states/responder_init.c b/Source/charon/sa/states/responder_init.c index 9c6067faa..8a8e0c6fc 100644 --- a/Source/charon/sa/states/responder_init.c +++ b/Source/charon/sa/states/responder_init.c @@ -223,10 +223,7 @@ static status_t process_message(private_responder_init_t *this, message_t *messa { sa_payload_t *sa_payload = (sa_payload_t*)payload; iterator_t *suggested_proposals, *accepted_proposals; - encryption_algorithm_t encryption_algorithm = ENCR_UNDEFINED; - pseudo_random_function_t pseudo_random_function = PRF_UNDEFINED; - integrity_algorithm_t integrity_algorithm = AUTH_UNDEFINED; - prf_t *prf; + proposal_substructure_t *accepted_proposal; status = this->proposals->create_iterator(this->proposals, &accepted_proposals, FALSE); if (status != SUCCESS) @@ -260,12 +257,13 @@ static status_t process_message(private_responder_init_t *this, message_t *messa /* iterators are not needed anymore */ suggested_proposals->destroy(suggested_proposals); - - /* now let the configuration-manager return the transforms for the given proposal*/ - this->logger->log(this->logger, CONTROL | MOST, "Get transforms for accepted proposal"); - status = global_configuration_manager->get_transforms_for_host_and_proposals(global_configuration_manager, - this->ike_sa->get_other_host(this->ike_sa), accepted_proposals, &encryption_algorithm,&pseudo_random_function,&integrity_algorithm); + + /* let the ike_sa create their own transforms from proposal informations */ + accepted_proposals->reset(accepted_proposals); + /* TODO check for true*/ + accepted_proposals->has_next(accepted_proposals); + status = accepted_proposals->current(accepted_proposals,(void **)&accepted_proposal); if (status != SUCCESS) { this->logger->log(this->logger, ERROR | MORE, "Accepted proposals not supported?!"); @@ -273,16 +271,15 @@ static status_t process_message(private_responder_init_t *this, message_t *messa payloads->destroy(payloads); return status; } - accepted_proposals->destroy(accepted_proposals); - prf = prf_create(pseudo_random_function); - if (prf == NULL) + status = this->ike_sa->create_transforms_from_proposal(this->ike_sa,accepted_proposal); + accepted_proposals->destroy(accepted_proposals); + if (status != SUCCESS) { - this->logger->log(this->logger, ERROR | MORE, "PRF type not supported"); + this->logger->log(this->logger, ERROR | MORE, "Transform objects could not be created from selected proposal"); payloads->destroy(payloads); - return FAILED; + return status; } - this->ike_sa->set_prf(this->ike_sa,prf); this->logger->log(this->logger, CONTROL | MORE, "SA Payload processed"); /* ok, we have what we need for sa_payload (proposals are stored in this->proposals)*/ @@ -397,8 +394,6 @@ static status_t process_message(private_responder_init_t *this, message_t *messa this->logger->log(this->logger, ERROR | MORE, "Secrets could not be computed!"); return status; } - - /* set up the reply */ status = this->ike_sa->build_message(this->ike_sa, IKE_SA_INIT, FALSE, &response); diff --git a/Source/charon/transforms/crypters/crypter.c b/Source/charon/transforms/crypters/crypter.c index 8a9f590d3..1a0f859eb 100644 --- a/Source/charon/transforms/crypters/crypter.c +++ b/Source/charon/transforms/crypters/crypter.c @@ -45,3 +45,20 @@ mapping_t encryption_algorithm_m[] = { {ENCR_AES_CTR, "ENCR_AES_CTR"}, {MAPPING_END, NULL} }; + +/* + * Described in header. + */ +crypter_t *crypter_create(encryption_algorithm_t encryption_algorithm,size_t blocksize) +{ + switch (encryption_algorithm) + { + case ENCR_AES_CBC: + { + return (crypter_t*)aes_cbc_crypter_create(blocksize); + + } + default: + return NULL; + } +} diff --git a/Source/charon/transforms/crypters/crypter.h b/Source/charon/transforms/crypters/crypter.h index 1d2b2b35c..878ea5ef4 100644 --- a/Source/charon/transforms/crypters/crypter.h +++ b/Source/charon/transforms/crypters/crypter.h @@ -118,10 +118,11 @@ struct crypter_t { * @brief Generic constructor for crypter_t objects. * * @param encryption_algorithm Algorithm to use for crypter + * @param blocksize block size in bytes * @return * - crypter_t if successfully * - NULL if out of ressources or crypter not supported */ -crypter_t *crypter_create(encryption_algorithm_t encryption_algorithm); +crypter_t *crypter_create(encryption_algorithm_t encryption_algorithm, size_t blocksize); #endif /*CRYPTER_H_*/ diff --git a/Source/charon/utils/logger_manager.c b/Source/charon/utils/logger_manager.c index 021eeb2e4..005e6948b 100644 --- a/Source/charon/utils/logger_manager.c +++ b/Source/charon/utils/logger_manager.c @@ -148,6 +148,7 @@ static logger_t *create_logger(private_logger_manager_t *this, logger_context_t logger_level |= FULL; break; case IKE_SA: + logger_level |= FULL; case IKE_SA_MANAGER: case MESSAGE: logger_level |= ALL;