added hooks for IKE and CHILD keymat
authorMartin Willi <martin@strongswan.org>
Thu, 30 Oct 2008 12:58:54 +0000 (12:58 -0000)
committerMartin Willi <martin@strongswan.org>
Thu, 30 Oct 2008 12:58:54 +0000 (12:58 -0000)
src/charon/bus/bus.c
src/charon/bus/bus.h
src/charon/plugins/stroke/stroke_list.c
src/charon/sa/ike_sa.c
src/charon/sa/ike_sa.h
src/charon/sa/keymat.c
src/charon/sa/keymat.h
src/charon/sa/tasks/child_create.c
src/charon/sa/tasks/ike_init.c

index 371d431..7ad929b 100644 (file)
@@ -440,6 +440,74 @@ static void message(private_bus_t *this, message_t *message, bool incoming)
 }
 
 /**
+ * Implementation of bus_t.ike_keys
+ */
+static void ike_keys(private_bus_t *this, ike_sa_t *ike_sa,
+                                        diffie_hellman_t *dh, chunk_t nonce_i, chunk_t nonce_r,
+                                        ike_sa_t *rekey)
+{
+       enumerator_t *enumerator;
+       entry_t *entry;
+       bool keep;
+       
+       this->mutex->lock(this->mutex);
+       enumerator = this->listeners->create_enumerator(this->listeners);
+       while (enumerator->enumerate(enumerator, &entry))
+       {
+               if (entry->calling || !entry->listener->ike_keys)
+               {
+                       continue;
+               }
+               entry->calling++;
+               keep = entry->listener->ike_keys(entry->listener, ike_sa, dh,
+                                                                                nonce_i, nonce_r, rekey);
+               entry->calling--;
+               if (!keep)
+               {
+                       unregister_listener(this, entry, enumerator);
+                       break;
+               }
+       }
+       enumerator->destroy(enumerator);
+       this->mutex->unlock(this->mutex);
+}
+
+/**
+ * Implementation of bus_t.child_keys
+ */
+static void child_keys(private_bus_t *this, child_sa_t *child_sa,
+                                          diffie_hellman_t *dh, chunk_t nonce_i, chunk_t nonce_r)
+{
+       enumerator_t *enumerator;
+       ike_sa_t *ike_sa;
+       entry_t *entry;
+       bool keep;
+       
+       ike_sa = pthread_getspecific(this->thread_sa);
+       
+       this->mutex->lock(this->mutex);
+       enumerator = this->listeners->create_enumerator(this->listeners);
+       while (enumerator->enumerate(enumerator, &entry))
+       {
+               if (entry->calling || !entry->listener->child_keys)
+               {
+                       continue;
+               }
+               entry->calling++;
+               keep = entry->listener->child_keys(entry->listener, ike_sa, child_sa,
+                                                                                  dh, nonce_i, nonce_r);
+               entry->calling--;
+               if (!keep)
+               {
+                       unregister_listener(this, entry, enumerator);
+                       break;
+               }
+       }
+       enumerator->destroy(enumerator);
+       this->mutex->unlock(this->mutex);
+}
+
+/**
  * Implementation of bus_t.destroy.
  */
 static void destroy(private_bus_t *this)
@@ -465,6 +533,8 @@ bus_t *bus_create()
        this->public.ike_state_change = (void(*)(bus_t*,ike_sa_t*,ike_sa_state_t))ike_state_change;
        this->public.child_state_change = (void(*)(bus_t*,child_sa_t*,child_sa_state_t))child_state_change;
        this->public.message = (void(*)(bus_t*, message_t *message, bool incoming))message;
+       this->public.ike_keys = (void(*)(bus_t*, ike_sa_t *ike_sa, diffie_hellman_t *dh, chunk_t nonce_i, chunk_t nonce_r, ike_sa_t *rekey))ike_keys;
+       this->public.child_keys = (void(*)(bus_t*, child_sa_t *child_sa, diffie_hellman_t *dh, chunk_t nonce_i, chunk_t nonce_r))child_keys;
        this->public.destroy = (void(*)(bus_t*)) destroy;
        
        this->listeners = linked_list_create();
index 041cfad..23c4650 100644 (file)
@@ -179,7 +179,32 @@ struct listener_t {
         */
        bool (*message)(listener_t *this, ike_sa_t *ike_sa, message_t *message,
                                        bool incoming);
-
+       
+       /**
+        * Hook called with IKE_SA key material.
+        *
+        * @param ike_sa        IKE_SA this keymat belongs to
+        * @param dh            diffie hellman shared secret
+        * @param nonce_i       initiators nonce
+        * @param nonce_r       responders nonce
+        * @param rekey         IKE_SA we are rekeying, if any
+        * @return                      TRUE to stay registered, FALSE to unregister
+        */
+       bool (*ike_keys)(listener_t *this, ike_sa_t *ike_sa, diffie_hellman_t *dh,
+                                        chunk_t nonce_i, chunk_t nonce_r, ike_sa_t *rekey);
+       
+       /**
+        * Hook called with CHILD_SA key material.
+        *
+        * @param ike_sa        IKE_SA the child sa belongs to
+        * @param child_sa      CHILD_SA this keymat is used for
+        * @param dh            diffie hellman shared secret
+        * @param nonce_i       initiators nonce
+        * @param nonce_r       responders nonce
+        * @return                      TRUE to stay registered, FALSE to unregister
+        */
+       bool (*child_keys)(listener_t *this, ike_sa_t *ike_sa, child_sa_t *child_sa,
+                                          diffie_hellman_t *dh, chunk_t nonce_i, chunk_t nonce_r);
 };
 
 /**
@@ -262,7 +287,6 @@ struct bus_t {
         */
        void (*vlog)(bus_t *this, debug_t group, level_t level,
                                 char* format, va_list args);
-       
        /**
         * Send a IKE_SA state change event to the bus.
         *
@@ -271,7 +295,6 @@ struct bus_t {
         */
        void (*ike_state_change)(bus_t *this, ike_sa_t *ike_sa,
                                                         ike_sa_state_t state);
-       
        /**
         * Send a CHILD_SA state change event to the bus.
         *
@@ -280,7 +303,6 @@ struct bus_t {
         */
        void (*child_state_change)(bus_t *this, child_sa_t *child_sa,
                                                           child_sa_state_t state);
-       
        /**
         * Message send/receive hook.
         *
@@ -290,6 +312,27 @@ struct bus_t {
        void (*message)(bus_t *this, message_t *message, bool incoming);
        
        /**
+        * IKE_SA keymat hook.
+        *
+        * @param ike_sa        IKE_SA this keymat belongs to
+        * @param dh            diffie hellman shared secret
+        * @param nonce_i       initiators nonce
+        * @param nonce_r       responders nonce
+        * @param rekey         IKE_SA we are rekeying, if any
+        */
+       void (*ike_keys)(bus_t *this, ike_sa_t *ike_sa, diffie_hellman_t *dh,
+                                        chunk_t nonce_i, chunk_t nonce_r, ike_sa_t *rekey);
+       /**
+        * CHILD_SA keymat hook.
+        *
+        * @param child_sa      CHILD_SA this keymat is used for
+        * @param dh            diffie hellman shared secret
+        * @param nonce_i       initiators nonce
+        * @param nonce_r       responders nonce
+        */
+       void (*child_keys)(bus_t *this, child_sa_t *child_sa, diffie_hellman_t *dh,
+                                          chunk_t nonce_i, chunk_t nonce_r);
+       /**
         * Destroy the event bus.
         */
        void (*destroy) (bus_t *this);
index eb15e24..7d5c86a 100644 (file)
@@ -79,11 +79,9 @@ static void log_ike_sa(FILE *out, ike_sa_t *ike_sa, bool all)
        
        if (all)
        {
-               keymat_t *keymat;
                proposal_t *ike_proposal;
                
-               keymat = ike_sa->get_keymat(ike_sa);
-               ike_proposal = keymat->get_proposal(keymat);
+               ike_proposal = ike_sa->get_proposal(ike_sa);
                
                fprintf(out, "%12s[%d]: IKE SPIs: %.16llx_i%s %.16llx_r%s",
                                ike_sa->get_name(ike_sa), ike_sa->get_unique_id(ike_sa),
index 5f02157..d07867c 100644 (file)
@@ -129,6 +129,11 @@ struct private_ike_sa_t {
        auth_info_t *other_auth;
        
        /**
+        * Selected IKE proposal
+        */
+       proposal_t *proposal;
+       
+       /**
         * Juggles tasks to process messages
         */
        task_manager_t *task_manager;
@@ -393,6 +398,23 @@ static auth_info_t* get_other_auth(private_ike_sa_t *this)
 }
 
 /**
+ * Implementation of ike_sa_t.get_proposal
+ */
+static proposal_t* get_proposal(private_ike_sa_t *this)
+{
+       return this->proposal;
+}
+
+/**
+ * Implementation of ike_sa_t.set_proposal
+ */
+static void set_proposal(private_ike_sa_t *this, proposal_t *proposal)
+{
+       DESTROY_IF(this->proposal);
+       this->proposal = proposal->clone(proposal);
+}
+
+/**
  * Implementation of ike_sa_t.send_keepalive
  */
 static void send_keepalive(private_ike_sa_t *this)
@@ -2218,6 +2240,7 @@ static void destroy(private_ike_sa_t *this)
        DESTROY_IF(this->peer_cfg);
        DESTROY_IF(this->my_auth);
        DESTROY_IF(this->other_auth);
+       DESTROY_IF(this->proposal);
        
        this->ike_sa_id->destroy(this->ike_sa_id);
        free(this);
@@ -2247,6 +2270,8 @@ ike_sa_t * ike_sa_create(ike_sa_id_t *ike_sa_id)
        this->public.set_peer_cfg = (void (*)(ike_sa_t*,peer_cfg_t*))set_peer_cfg;
        this->public.get_my_auth = (auth_info_t*(*)(ike_sa_t*))get_my_auth;
        this->public.get_other_auth = (auth_info_t*(*)(ike_sa_t*))get_other_auth;
+       this->public.get_proposal = (proposal_t*(*)(ike_sa_t*))get_proposal;
+       this->public.set_proposal = (void(*)(ike_sa_t*, proposal_t *proposal))set_proposal;
        this->public.get_id = (ike_sa_id_t* (*)(ike_sa_t*)) get_id;
        this->public.get_my_host = (host_t* (*)(ike_sa_t*)) get_my_host;
        this->public.set_my_host = (void (*)(ike_sa_t*,host_t*)) set_my_host;
@@ -2325,6 +2350,7 @@ ike_sa_t * ike_sa_create(ike_sa_id_t *ike_sa_id)
        this->peer_cfg = NULL;
        this->my_auth = auth_info_create();
        this->other_auth = auth_info_create();
+       this->proposal = NULL;
        this->task_manager = task_manager_create(&this->public);
        this->unique_id = ++unique_id;
        this->my_virtual_ip = NULL;
index 354f026..6a8de69 100644 (file)
@@ -395,6 +395,20 @@ struct ike_sa_t {
        auth_info_t* (*get_other_auth)(ike_sa_t *this);
        
        /**
+        * Get the selected proposal of this IKE_SA.
+        *
+        * @return                              selected proposal
+        */
+       proposal_t* (*get_proposal)(ike_sa_t *this);
+       
+       /**
+        * Set the proposal selected for this IKE_SA.
+        *
+        * @param                               selected proposal
+        */
+       void (*set_proposal)(ike_sa_t *this, proposal_t *proposal);
+       
+       /**
         * Add an additional address for the peer.
         *
         * In MOBIKE, a peer may transmit additional addresses where it is
index 0557688..c2a899d 100644 (file)
@@ -76,11 +76,6 @@ struct private_keymat_t {
         * Key to verify incoming authentication data (SKp)
         */
        chunk_t skp_verify;
-       
-       /**
-        * Negotiated IKE proposal
-        */
-       proposal_t *proposal;
 };
 
 typedef struct keylen_entry_t keylen_entry_t;
@@ -350,9 +345,6 @@ static bool derive_ike_keys(private_keymat_t *this, proposal_t *proposal,
        /* all done, prf_plus not needed anymore */
        prf_plus->destroy(prf_plus);
        
-       /* save selected proposal */
-       this->proposal = proposal->clone(proposal);
-       
        return TRUE;
 }
 
@@ -451,14 +443,6 @@ static bool derive_child_keys(private_keymat_t *this,
 }
 
 /**
- * Implementation of keymat_t.get_proposal
- */
-static proposal_t* get_proposal(private_keymat_t *this)
-{
-       return this->proposal;
-}
-
-/**
  * Implementation of keymat_t.get_signer
  */
 static signer_t* get_signer(private_keymat_t *this, bool in)
@@ -546,7 +530,6 @@ static void destroy(private_keymat_t *this)
        DESTROY_IF(this->crypter_in);
        DESTROY_IF(this->crypter_out);
        DESTROY_IF(this->prf);
-       DESTROY_IF(this->proposal);
        chunk_clear(&this->skd);
        chunk_clear(&this->skp_verify);
        chunk_clear(&this->skp_build);
@@ -563,7 +546,6 @@ keymat_t *keymat_create(bool initiator)
        this->public.create_dh = (diffie_hellman_t*(*)(keymat_t*, diffie_hellman_group_t group))create_dh;
        this->public.derive_ike_keys = (bool(*)(keymat_t*, proposal_t *proposal, diffie_hellman_t *dh, chunk_t nonce_i, chunk_t nonce_r, ike_sa_id_t *id, keymat_t *rekey))derive_ike_keys;
        this->public.derive_child_keys = (bool(*)(keymat_t*, proposal_t *proposal, diffie_hellman_t *dh, chunk_t nonce_i, chunk_t nonce_r, chunk_t *encr_i, chunk_t *integ_i, chunk_t *encr_r, chunk_t *integ_r))derive_child_keys;
-       this->public.get_proposal = (proposal_t*(*)(keymat_t*))get_proposal;
        this->public.get_signer = (signer_t*(*)(keymat_t*, bool in))get_signer;
        this->public.get_crypter = (crypter_t*(*)(keymat_t*, bool in))get_crypter;
        this->public.get_auth_octets = (chunk_t(*)(keymat_t *, bool verify, chunk_t ike_sa_init, chunk_t nonce, identification_t *id))get_auth_octets;
@@ -577,7 +559,6 @@ keymat_t *keymat_create(bool initiator)
        this->crypter_in = NULL;
        this->crypter_out = NULL;
        this->prf = NULL;
-       this->proposal = NULL;
        this->skd = chunk_empty;
        this->skp_verify = chunk_empty;
        this->skp_build = chunk_empty;
index 835ad45..3ca25da 100644 (file)
@@ -107,13 +107,6 @@ struct keymat_t {
        crypter_t* (*get_crypter)(keymat_t *this, bool in);
        
        /**
-        * Get the selected proposal passed to derive_ike_keys().
-        *
-        * @return                      selected proposal
-        */
-       proposal_t* (*get_proposal)(keymat_t *this);
-       
-       /**
         * Generate octets to use for authentication procedure (RFC4306 2.15).
         *
         * This method creates the plain octets and is usually signed by a private
index 541cf97..c4536d9 100644 (file)
@@ -197,7 +197,7 @@ static bool ts_list_is_host(linked_list_t *list, host_t *host)
 static status_t select_and_install(private_child_create_t *this, bool no_dh)
 {
        status_t status;
-       chunk_t encr_i, integ_i, encr_r, integ_r;
+       chunk_t nonce_i, nonce_r, encr_i, integ_i, encr_r, integ_r;
        linked_list_t *my_ts, *other_ts;
        host_t *me, *other, *other_vip, *my_vip;
        
@@ -256,11 +256,15 @@ static status_t select_and_install(private_child_create_t *this, bool no_dh)
        
        if (this->initiator)
        {
+               nonce_i = this->my_nonce;
+               nonce_r = this->other_nonce;
                my_ts = this->tsi;
                other_ts = this->tsr;
        }
        else
        {
+               nonce_r = this->my_nonce;
+               nonce_i = this->other_nonce;
                my_ts = this->tsr;
                other_ts = this->tsi;
        }
@@ -336,21 +340,15 @@ static status_t select_and_install(private_child_create_t *this, bool no_dh)
        }
        
        status = FAILED;
-       if (this->initiator)
+       if (this->keymat->derive_child_keys(this->keymat, this->proposal,
+                       this->dh, nonce_i, nonce_r,     &encr_i, &integ_i, &encr_r, &integ_r))
        {
-               if (this->keymat->derive_child_keys(this->keymat, this->proposal,
-                                       this->dh, this->my_nonce, this->other_nonce,
-                                       &encr_i, &integ_i, &encr_r, &integ_r))
+               if (this->initiator)
                {
                        status = this->child_sa->update(this->child_sa, this->proposal,
                                                        this->mode, integ_r, integ_i, encr_r, encr_i);
                }
-       }
-       else
-       {
-               if (this->keymat->derive_child_keys(this->keymat, this->proposal,
-                                       this->dh, this->other_nonce, this->my_nonce,
-                                       &encr_i, &integ_i, &encr_r, &integ_r))
+               else
                {
                        status = this->child_sa->add(this->child_sa, this->proposal,
                                                        this->mode, integ_i, integ_r, encr_i, encr_r);
@@ -366,6 +364,10 @@ static status_t select_and_install(private_child_create_t *this, bool no_dh)
                DBG1(DBG_IKE, "unable to install IPsec SA (SAD) in kernel");
                return FAILED;
        }
+       
+       charon->bus->child_keys(charon->bus, this->child_sa, this->dh,
+                                                       nonce_i, nonce_r);
+       
        /* add to IKE_SA, and remove from task */
        this->child_sa->set_state(this->child_sa, CHILD_INSTALLED);
        this->ike_sa->add_child_sa(this->ike_sa, this->child_sa);
index 522d1d7..ce440d8 100644 (file)
@@ -385,6 +385,7 @@ static status_t build_r(private_ike_init_t *this, message_t *message)
                message->add_notify(message, TRUE, NO_PROPOSAL_CHOSEN, chunk_empty);
                return FAILED;
        }
+       this->ike_sa->set_proposal(this->ike_sa, this->proposal);
        
        if (this->dh == NULL ||
                !this->proposal->has_dh_group(this->proposal, this->dh_group))
@@ -423,6 +424,9 @@ static status_t build_r(private_ike_init_t *this, message_t *message)
                return FAILED;
        }
        
+       charon->bus->ike_keys(charon->bus, this->ike_sa, this->dh,
+                                                 this->other_nonce, this->my_nonce, this->old_sa);
+       
        build_payloads(this, message);
        return SUCCESS;
 }
@@ -508,6 +512,7 @@ static status_t process_i(private_ike_init_t *this, message_t *message)
                DBG1(DBG_IKE, "peers proposal selection invalid");
                return FAILED;
        }
+       this->ike_sa->set_proposal(this->ike_sa, this->proposal);
        
        if (this->dh == NULL ||
                !this->proposal->has_dh_group(this->proposal, this->dh_group))
@@ -529,6 +534,9 @@ static status_t process_i(private_ike_init_t *this, message_t *message)
                return FAILED;
        }
        
+       charon->bus->ike_keys(charon->bus, this->ike_sa, this->dh,
+                                                 this->my_nonce, this->other_nonce, this->old_sa);
+       
        return SUCCESS;
 }