Avoid proxy for bypass_socket, enable_udp_decap
[strongswan.git] / src / charon-tkm / src / tkm / tkm_keymat.h
1 /*
2 * Copyright (C) 2012 Reto Buerki
3 * Copyright (C) 2012 Adrian-Ken Rueegsegger
4 * Hochschule fuer Technik Rapperswil
5 *
6 * This program is free software; you can redistribute it and/or modify it
7 * under the terms of the GNU General Public License as published by the
8 * Free Software Foundation; either version 2 of the License, or (at your
9 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
10 *
11 * This program is distributed in the hope that it will be useful, but
12 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
13 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
14 * for more details.
15 */
16
17 #ifndef TKM_KEYMAT_H_
18 #define TKM_KEYMAT_H_
19
20 #include <sa/keymat.h>
21
22 typedef struct tkm_keymat_t tkm_keymat_t;
23
24 /**
25 * Derivation and management of sensitive keying material, TKM variant.
26 */
27 struct tkm_keymat_t {
28
29 /**
30 * Implements keymat_t.
31 */
32 keymat_t keymat;
33
34 /**
35 * Use TKM to derive IKE key material.
36 *
37 * @param proposal selected algorithms
38 * @param dh diffie hellman key allocated by create_dh()
39 * @param nonce_i initiators nonce value
40 * @param nonce_r responders nonce value
41 * @param id IKE_SA identifier
42 * @param rekey_prf PRF of old SA if rekeying, PRF_UNDEFINED otherwise
43 * @param rekey_skd SKd of old SA if rekeying
44 * @return TRUE on success
45 */
46 bool (*derive_ike_keys)(tkm_keymat_t *this, proposal_t *proposal,
47 diffie_hellman_t *dh, chunk_t nonce_i,
48 chunk_t nonce_r, ike_sa_id_t *id,
49 pseudo_random_function_t rekey_function,
50 chunk_t rekey_skd);
51
52 /**
53 * Use TKM to derive child key material.
54 *
55 * @param proposal selected algorithms
56 * @param dh diffie hellman key allocated by create_dh(), or NULL
57 * @param nonce_i initiators nonce value
58 * @param nonce_r responders nonce value
59 * @param encr_i handle to initiators encryption key
60 * @param integ_i handle to initiators integrity key
61 * @param encr_r handle to responders encryption key
62 * @param integ_r handle to responders integrity key
63 * @return TRUE on success
64 */
65 bool (*derive_child_keys)(tkm_keymat_t *this,
66 proposal_t *proposal, diffie_hellman_t *dh,
67 chunk_t nonce_i, chunk_t nonce_r,
68 chunk_t *encr_i, chunk_t *integ_i,
69 chunk_t *encr_r, chunk_t *integ_r);
70
71 /**
72 * Use TKM to generate auth octets.
73 *
74 * @param verify TRUE to create for verfification, FALSE to sign
75 * @param ike_sa_init encoded ike_sa_init message
76 * @param nonce nonce value
77 * @param id identity
78 * @param reserved reserved bytes of id_payload
79 * @param octests chunk receiving allocated auth octets
80 * @return TRUE if octets created successfully
81 */
82 bool (*get_auth_octets)(tkm_keymat_t *this, bool verify, chunk_t ike_sa_init,
83 chunk_t nonce, identification_t *id,
84 char reserved[3], chunk_t *octets);
85
86 /**
87 * Get SKd and PRF to derive keymat.
88 *
89 * @param skd chunk to write SKd to (internal data)
90 * @return PRF function to derive keymat
91 */
92 pseudo_random_function_t (*get_skd)(tkm_keymat_t *this, chunk_t *skd);
93
94 /**
95 * Build the shared secret signature used for PSK and EAP authentication.
96 *
97 * @param verify TRUE to create for verfification, FALSE to sign
98 * @param ike_sa_init encoded ike_sa_init message
99 * @param nonce nonce value
100 * @param secret optional secret to include into signature
101 * @param id identity
102 * @param reserved reserved bytes of id_payload
103 * @param sign chunk receiving allocated signature octets
104 * @return TRUE if signature created successfully
105 */
106 bool (*get_psk_sig)(tkm_keymat_t *this, bool verify, chunk_t ike_sa_init,
107 chunk_t nonce, chunk_t secret,
108 identification_t *id, char reserved[3], chunk_t *sig);
109
110 /**
111 * Get ISA context id.
112 *
113 * @return id of associated ISA context.
114 */
115 isa_id_type (*get_isa_id)(tkm_keymat_t * const this);
116
117 /**
118 * Set IKE AUTH payload.
119 *
120 * @param payload AUTH payload
121 */
122 void (*set_auth_payload)(tkm_keymat_t *this, const chunk_t * const payload);
123
124 /**
125 * Get IKE AUTH payload.
126 *
127 * @return AUTH payload if set, chunk_empty otherwise
128 */
129 chunk_t* (*get_auth_payload)(tkm_keymat_t * const this);
130
131 };
132
133 /**
134 * Create TKM keymat instance.
135 *
136 * @param initiator TRUE if we are the initiator
137 * @return keymat instance
138 */
139 tkm_keymat_t *tkm_keymat_create(bool initiator);
140
141 #endif /** KEYMAT_TKM_H_ */