sharpetronics/strongswan
1
0
Fork 0
mirror of https://github.com/strongswan/strongswan.git synced 2025-10-03 00:00:24 -04:00
Code Issues Projects Releases Wiki Activity

keymat_v2: Add method to calculate IntAuth for IKE_INTERMEDIATE exchanges

Browse Source
This commit is contained in:
Tobias Brunner 2019-07-02 15:01:26 +02:00
parent b8358936aa
commit a24993213e
3 changed files with 52 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
src/charon-tkm/src/tkm/tkm_keymat.c
View File

@ -1,5 +1,5 @@
/*
* Copyright (C) 2015 Tobias Brunner
* Copyright (C) 2015-2019 Tobias Brunner
* Copyright (C) 2012 Reto Buerki
* Copyright (C) 2012 Adrian-Ken Rueegsegger
*
@ -246,6 +246,14 @@ METHOD(keymat_t, get_aead, aead_t*,
return this->aead;
}
METHOD(keymat_v2_t, get_int_auth, bool,
private_tkm_keymat_t *this, bool verify, chunk_t data, chunk_t prev,
chunk_t *auth)
{
DBG1(DBG_IKE, "TKM doesn't support IntAuth calculation");
return FALSE;
}
METHOD(keymat_v2_t, get_auth_octets, bool,
private_tkm_keymat_t *this, bool verify, chunk_t ike_sa_init,
chunk_t nonce, chunk_t ppk, identification_t *id, char reserved[3],
@ -388,6 +396,7 @@ tkm_keymat_t *tkm_keymat_create(bool initiator)
.derive_ike_keys_ppk = (void*)return_false,
.derive_child_keys = _derive_child_keys,
.get_skd = _get_skd,
.get_int_auth = _get_int_auth,
.get_auth_octets = _get_auth_octets,
.get_psk_sig = _get_psk_sig,
.add_hash_algorithm = _add_hash_algorithm,

26
src/libcharon/sa/ikev2/keymat_v2.c
View File

@ -1,5 +1,5 @@
/*
* Copyright (C) 2015 Tobias Brunner
* Copyright (C) 2015-2019 Tobias Brunner
* Copyright (C) 2008 Martin Willi
*
* Copyright (C) secunet Security Networks AG
@ -261,6 +261,7 @@ METHOD(keymat_v2_t, derive_ike_keys, bool,
return FALSE;
}
this->prf_alg = prf_alg;
DESTROY_IF(this->prf);
this->prf = lib->crypto->create_prf(lib->crypto, this->prf_alg);
if (!this->prf)
{
@ -656,6 +657,27 @@ METHOD(keymat_t, get_aead, aead_t*,
return in ? this->aead_in : this->aead_out;
}
METHOD(keymat_v2_t, get_int_auth, bool,
private_keymat_v2_t *this, bool verify, chunk_t data, chunk_t prev,
chunk_t *auth)
{
chunk_t skp;
skp = verify ? this->skp_verify : this->skp_build;
DBG3(DBG_IKE, "IntAuth_N-1 %B", &prev);
DBG3(DBG_IKE, "IntAuth_A|P %B", &data);
DBG4(DBG_IKE, "SK_p %B", &skp);
if (!this->prf->set_key(this->prf, skp) ||
!this->prf->allocate_bytes(this->prf, prev, NULL) ||
!this->prf->allocate_bytes(this->prf, data, auth))
{
return FALSE;
}
DBG3(DBG_IKE, "IntAuth_N = prf(Sk_px, data) %B", auth);
return TRUE;
}
METHOD(keymat_v2_t, get_auth_octets, bool,
private_keymat_v2_t *this, bool verify, chunk_t ike_sa_init,
chunk_t nonce, chunk_t ppk, identification_t *id, char reserved[3],
@ -749,7 +771,6 @@ failure:
chunk_free(&octets);
chunk_free(&key);
return success;
}
METHOD(keymat_v2_t, hash_algorithm_supported, bool,
@ -805,6 +826,7 @@ keymat_v2_t *keymat_v2_create(bool initiator)
.derive_ike_keys_ppk = _derive_ike_keys_ppk,
.derive_child_keys = _derive_child_keys,
.get_skd = _get_skd,
.get_int_auth = _get_int_auth,
.get_auth_octets = _get_auth_octets,
.get_psk_sig = _get_psk_sig,
.add_hash_algorithm = _add_hash_algorithm,

19
src/libcharon/sa/ikev2/keymat_v2.h
View File

@ -1,5 +1,5 @@
/*
* Copyright (C) 2011-2015 Tobias Brunner
* Copyright (C) 2011-2019 Tobias Brunner
*
* Copyright (C) secunet Security Networks AG
*
@ -91,6 +91,7 @@ struct keymat_v2_t {
chunk_t nonce_i, chunk_t nonce_r,
chunk_t *encr_i, chunk_t *integ_i,
chunk_t *encr_r, chunk_t *integ_r);
/**
* Get SKd to pass to derive_ikey_keys() during rekeying.
*
@ -99,6 +100,22 @@ struct keymat_v2_t {
*/
pseudo_random_function_t (*get_skd)(keymat_v2_t *this, chunk_t *skd);
/**
* Generate data for signed octets when using IKE_INTEMEDIATE exchanges.
*
* The supplied chunk must contain the IKE header until the end of the
* Encrypted Payload header followed by the plaintext contents of the
* latter.
*
* @param verify TRUE as recipient, FALSE as sender
* @param data IKE_INTERMEDIATE packet data
* @param prev previous IntAuth value
* @param[out] auth IntAuth data to be used later with get_auth_octets()
* @return TRUE if octets created successfully
*/
bool (*get_int_auth)(keymat_v2_t *this, bool verify, chunk_t data,
chunk_t prev, chunk_t *auth);
/**
* Generate octets to use for authentication procedure (RFC4306 2.15).
*