Add skeleton for TKM keymat variant
authorReto Buerki <reet@codelabs.ch>
Tue, 21 Aug 2012 10:17:05 +0000 (12:17 +0200)
committerTobias Brunner <tobias@strongswan.org>
Tue, 19 Mar 2013 14:23:45 +0000 (15:23 +0100)
src/charon-tkm/src/charon-tkm.c
src/charon-tkm/src/tkm/tkm_keymat.c [new file with mode: 0644]
src/charon-tkm/src/tkm/tkm_keymat.h [new file with mode: 0644]

index bf8745a..e102b4e 100644 (file)
 #include <library.h>
 #include <utils/backtrace.h>
 #include <threading/thread.h>
+#include <sa/keymat.h>
 
 #include "tkm.h"
 #include "tkm_nonceg.h"
 #include "tkm_diffie_hellman.h"
+#include "tkm_keymat.h"
 
 /**
  * PID file, in which charon-tkm stores its process id
@@ -280,6 +282,9 @@ int main(int argc, char *argv[])
        lib->plugins->add_static_features(lib->plugins, "tkm-backend", features,
                        countof(features), TRUE);
 
+       /* register TKM keymat variant */
+       keymat_register_constructor(IKEV2, (keymat_constructor_t)tkm_keymat_create);
+
        /* initialize daemon */
        if (!charon->initialize(charon, PLUGINS))
        {
diff --git a/src/charon-tkm/src/tkm/tkm_keymat.c b/src/charon-tkm/src/tkm/tkm_keymat.c
new file mode 100644 (file)
index 0000000..cdc6800
--- /dev/null
@@ -0,0 +1,132 @@
+/*
+ * Copyrigth (C) 2012 Reto Buerki
+ * Copyright (C) 2012 Adrian-Ken Rueegsegger
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <daemon.h>
+
+#include "tkm_keymat.h"
+
+typedef struct private_tkm_keymat_t private_tkm_keymat_t;
+
+/**
+ * Private data of a keymat_t object.
+ */
+struct private_tkm_keymat_t {
+
+       /**
+        * Public tkm_keymat_t interface.
+        */
+       tkm_keymat_t public;
+
+};
+
+METHOD(keymat_t, get_version, ike_version_t,
+       private_tkm_keymat_t *this)
+{
+       return IKEV2;
+}
+
+METHOD(keymat_t, create_dh, diffie_hellman_t*,
+       private_tkm_keymat_t *this, diffie_hellman_group_t group)
+{
+       return lib->crypto->create_dh(lib->crypto, group);
+}
+
+METHOD(keymat_t, create_nonce_gen, nonce_gen_t*,
+       private_tkm_keymat_t *this)
+{
+       return lib->crypto->create_nonce_gen(lib->crypto);
+}
+
+METHOD(tkm_keymat_t, derive_ike_keys, bool,
+       private_tkm_keymat_t *this, proposal_t *proposal, diffie_hellman_t *dh,
+       chunk_t nonce_i, chunk_t nonce_r, ike_sa_id_t *id,
+       pseudo_random_function_t rekey_function, chunk_t rekey_skd)
+{
+       DBG1(DBG_IKE, "deriving IKE keys");
+       return FALSE;
+}
+
+METHOD(tkm_keymat_t, derive_child_keys, bool,
+       private_tkm_keymat_t *this, proposal_t *proposal, diffie_hellman_t *dh,
+       chunk_t nonce_i, chunk_t nonce_r, chunk_t *encr_i, chunk_t *integ_i,
+       chunk_t *encr_r, chunk_t *integ_r)
+{
+       DBG1(DBG_CHD, "deriving child keys");
+       return FALSE;
+}
+
+METHOD(keymat_t, get_aead, aead_t*,
+       private_tkm_keymat_t *this, bool in)
+{
+       DBG1(DBG_IKE, "get_aead called");
+       return NULL;
+}
+
+METHOD(tkm_keymat_t, get_auth_octets, bool,
+       private_tkm_keymat_t *this, bool verify, chunk_t ike_sa_init,
+       chunk_t nonce, identification_t *id, char reserved[3], chunk_t *octets)
+{
+       DBG1(DBG_IKE, "returning auth octets");
+       return FALSE;
+}
+
+METHOD(tkm_keymat_t, get_skd, pseudo_random_function_t,
+       private_tkm_keymat_t *this, chunk_t *skd)
+{
+       DBG1(DBG_IKE, "returning skd");
+       return PRF_UNDEFINED;
+}
+
+METHOD(tkm_keymat_t, get_psk_sig, bool,
+       private_tkm_keymat_t *this, bool verify, chunk_t ike_sa_init, chunk_t nonce,
+       chunk_t secret, identification_t *id, char reserved[3], chunk_t *sig)
+{
+       DBG1(DBG_IKE, "returning PSK signature");
+       return FALSE;
+}
+
+METHOD(keymat_t, destroy, void,
+       private_tkm_keymat_t *this)
+{
+       free(this);
+}
+
+/**
+ * See header.
+ */
+tkm_keymat_t *tkm_keymat_create(bool initiator)
+{
+       private_tkm_keymat_t *this;
+
+       INIT(this,
+               .public = {
+                       .keymat = {
+                               .get_version = _get_version,
+                               .create_dh = _create_dh,
+                               .create_nonce_gen = _create_nonce_gen,
+                               .get_aead = _get_aead,
+                               .destroy = _destroy,
+                       },
+                       .derive_ike_keys = _derive_ike_keys,
+                       .derive_child_keys = _derive_child_keys,
+                       .get_skd = _get_skd,
+                       .get_auth_octets = _get_auth_octets,
+                       .get_psk_sig = _get_psk_sig,
+               },
+       );
+
+       return &this->public;
+}
diff --git a/src/charon-tkm/src/tkm/tkm_keymat.h b/src/charon-tkm/src/tkm/tkm_keymat.h
new file mode 100644 (file)
index 0000000..2def71f
--- /dev/null
@@ -0,0 +1,119 @@
+/*
+ * Copyright (C) 2012 Reto Buerki
+ * Copyright (C) 2012 Adrian-Ken Rueegsegger
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#ifndef TKM_KEYMAT_H_
+#define TKM_KEYMAT_H_
+
+#include <sa/keymat.h>
+
+typedef struct tkm_keymat_t tkm_keymat_t;
+
+/**
+ * Derivation and management of sensitive keying material, TKM variant.
+ */
+struct tkm_keymat_t {
+
+       /**
+        * Implements keymat_t.
+        */
+       keymat_t keymat;
+
+       /**
+        * Use TKM to derive IKE key material.
+        *
+        * @param proposal      selected algorithms
+        * @param dh            diffie hellman key allocated by create_dh()
+        * @param nonce_i       initiators nonce value
+        * @param nonce_r       responders nonce value
+        * @param id            IKE_SA identifier
+        * @param rekey_prf     PRF of old SA if rekeying, PRF_UNDEFINED otherwise
+        * @param rekey_skd     SKd of old SA if rekeying
+        * @return                      TRUE on success
+        */
+       bool (*derive_ike_keys)(tkm_keymat_t *this, proposal_t *proposal,
+                                                       diffie_hellman_t *dh, chunk_t nonce_i,
+                                                       chunk_t nonce_r, ike_sa_id_t *id,
+                                                       pseudo_random_function_t rekey_function,
+                                                       chunk_t rekey_skd);
+
+       /**
+        * Use TKM to derive child key material.
+        *
+        * @param proposal      selected algorithms
+        * @param dh            diffie hellman key allocated by create_dh(), or NULL
+        * @param nonce_i       initiators nonce value
+        * @param nonce_r       responders nonce value
+        * @param encr_i        handle to initiators encryption key
+        * @param integ_i       handle to initiators integrity key
+        * @param encr_r        handle to responders encryption key
+        * @param integ_r       handle to responders integrity key
+        * @return                      TRUE on success
+        */
+       bool (*derive_child_keys)(tkm_keymat_t *this,
+                                                         proposal_t *proposal, diffie_hellman_t *dh,
+                                                         chunk_t nonce_i, chunk_t nonce_r,
+                                                         chunk_t *encr_i, chunk_t *integ_i,
+                                                         chunk_t *encr_r, chunk_t *integ_r);
+
+       /**
+        * Use TKM to generate auth octets.
+        *
+        * @param verify                TRUE to create for verfification, FALSE to sign
+        * @param ike_sa_init   encoded ike_sa_init message
+        * @param nonce                 nonce value
+        * @param id                    identity
+        * @param reserved              reserved bytes of id_payload
+        * @param octests               chunk receiving allocated auth octets
+        * @return                              TRUE if octets created successfully
+        */
+       bool (*get_auth_octets)(tkm_keymat_t *this, bool verify, chunk_t ike_sa_init,
+                                                       chunk_t nonce, identification_t *id,
+                                                       char reserved[3], chunk_t *octets);
+
+       /**
+        * Get SKd and PRF to derive keymat.
+        *
+        * @param skd   chunk to write SKd to (internal data)
+        * @return              PRF function to derive keymat
+        */
+       pseudo_random_function_t (*get_skd)(tkm_keymat_t *this, chunk_t *skd);
+
+       /**
+        * Build the shared secret signature used for PSK and EAP authentication.
+        *
+        * @param verify                TRUE to create for verfification, FALSE to sign
+        * @param ike_sa_init   encoded ike_sa_init message
+        * @param nonce                 nonce value
+        * @param secret                optional secret to include into signature
+        * @param id                    identity
+        * @param reserved              reserved bytes of id_payload
+        * @param sign                  chunk receiving allocated signature octets
+        * @return                              TRUE if signature created successfully
+        */
+       bool (*get_psk_sig)(tkm_keymat_t *this, bool verify, chunk_t ike_sa_init,
+                                               chunk_t nonce, chunk_t secret,
+                                               identification_t *id, char reserved[3], chunk_t *sig);
+};
+
+/**
+ * Create TKM keymat instance.
+ *
+ * @param initiator                    TRUE if we are the initiator
+ * @return                                     keymat instance
+ */
+tkm_keymat_t *tkm_keymat_create(bool initiator);
+
+#endif /** KEYMAT_TKM_H_ */