}
/**
+ * Implementation of bus_t.ike_keys
+ */
+static void ike_keys(private_bus_t *this, ike_sa_t *ike_sa,
+ diffie_hellman_t *dh, chunk_t nonce_i, chunk_t nonce_r,
+ ike_sa_t *rekey)
+{
+ enumerator_t *enumerator;
+ entry_t *entry;
+ bool keep;
+
+ this->mutex->lock(this->mutex);
+ enumerator = this->listeners->create_enumerator(this->listeners);
+ while (enumerator->enumerate(enumerator, &entry))
+ {
+ if (entry->calling || !entry->listener->ike_keys)
+ {
+ continue;
+ }
+ entry->calling++;
+ keep = entry->listener->ike_keys(entry->listener, ike_sa, dh,
+ nonce_i, nonce_r, rekey);
+ entry->calling--;
+ if (!keep)
+ {
+ unregister_listener(this, entry, enumerator);
+ break;
+ }
+ }
+ enumerator->destroy(enumerator);
+ this->mutex->unlock(this->mutex);
+}
+
+/**
+ * Implementation of bus_t.child_keys
+ */
+static void child_keys(private_bus_t *this, child_sa_t *child_sa,
+ diffie_hellman_t *dh, chunk_t nonce_i, chunk_t nonce_r)
+{
+ enumerator_t *enumerator;
+ ike_sa_t *ike_sa;
+ entry_t *entry;
+ bool keep;
+
+ ike_sa = pthread_getspecific(this->thread_sa);
+
+ this->mutex->lock(this->mutex);
+ enumerator = this->listeners->create_enumerator(this->listeners);
+ while (enumerator->enumerate(enumerator, &entry))
+ {
+ if (entry->calling || !entry->listener->child_keys)
+ {
+ continue;
+ }
+ entry->calling++;
+ keep = entry->listener->child_keys(entry->listener, ike_sa, child_sa,
+ dh, nonce_i, nonce_r);
+ entry->calling--;
+ if (!keep)
+ {
+ unregister_listener(this, entry, enumerator);
+ break;
+ }
+ }
+ enumerator->destroy(enumerator);
+ this->mutex->unlock(this->mutex);
+}
+
+/**
* Implementation of bus_t.destroy.
*/
static void destroy(private_bus_t *this)
this->public.ike_state_change = (void(*)(bus_t*,ike_sa_t*,ike_sa_state_t))ike_state_change;
this->public.child_state_change = (void(*)(bus_t*,child_sa_t*,child_sa_state_t))child_state_change;
this->public.message = (void(*)(bus_t*, message_t *message, bool incoming))message;
+ this->public.ike_keys = (void(*)(bus_t*, ike_sa_t *ike_sa, diffie_hellman_t *dh, chunk_t nonce_i, chunk_t nonce_r, ike_sa_t *rekey))ike_keys;
+ this->public.child_keys = (void(*)(bus_t*, child_sa_t *child_sa, diffie_hellman_t *dh, chunk_t nonce_i, chunk_t nonce_r))child_keys;
this->public.destroy = (void(*)(bus_t*)) destroy;
this->listeners = linked_list_create();
*/
bool (*message)(listener_t *this, ike_sa_t *ike_sa, message_t *message,
bool incoming);
-
+
+ /**
+ * Hook called with IKE_SA key material.
+ *
+ * @param ike_sa IKE_SA this keymat belongs to
+ * @param dh diffie hellman shared secret
+ * @param nonce_i initiators nonce
+ * @param nonce_r responders nonce
+ * @param rekey IKE_SA we are rekeying, if any
+ * @return TRUE to stay registered, FALSE to unregister
+ */
+ bool (*ike_keys)(listener_t *this, ike_sa_t *ike_sa, diffie_hellman_t *dh,
+ chunk_t nonce_i, chunk_t nonce_r, ike_sa_t *rekey);
+
+ /**
+ * Hook called with CHILD_SA key material.
+ *
+ * @param ike_sa IKE_SA the child sa belongs to
+ * @param child_sa CHILD_SA this keymat is used for
+ * @param dh diffie hellman shared secret
+ * @param nonce_i initiators nonce
+ * @param nonce_r responders nonce
+ * @return TRUE to stay registered, FALSE to unregister
+ */
+ bool (*child_keys)(listener_t *this, ike_sa_t *ike_sa, child_sa_t *child_sa,
+ diffie_hellman_t *dh, chunk_t nonce_i, chunk_t nonce_r);
};
/**
*/
void (*vlog)(bus_t *this, debug_t group, level_t level,
char* format, va_list args);
-
/**
* Send a IKE_SA state change event to the bus.
*
*/
void (*ike_state_change)(bus_t *this, ike_sa_t *ike_sa,
ike_sa_state_t state);
-
/**
* Send a CHILD_SA state change event to the bus.
*
*/
void (*child_state_change)(bus_t *this, child_sa_t *child_sa,
child_sa_state_t state);
-
/**
* Message send/receive hook.
*
void (*message)(bus_t *this, message_t *message, bool incoming);
/**
+ * IKE_SA keymat hook.
+ *
+ * @param ike_sa IKE_SA this keymat belongs to
+ * @param dh diffie hellman shared secret
+ * @param nonce_i initiators nonce
+ * @param nonce_r responders nonce
+ * @param rekey IKE_SA we are rekeying, if any
+ */
+ void (*ike_keys)(bus_t *this, ike_sa_t *ike_sa, diffie_hellman_t *dh,
+ chunk_t nonce_i, chunk_t nonce_r, ike_sa_t *rekey);
+ /**
+ * CHILD_SA keymat hook.
+ *
+ * @param child_sa CHILD_SA this keymat is used for
+ * @param dh diffie hellman shared secret
+ * @param nonce_i initiators nonce
+ * @param nonce_r responders nonce
+ */
+ void (*child_keys)(bus_t *this, child_sa_t *child_sa, diffie_hellman_t *dh,
+ chunk_t nonce_i, chunk_t nonce_r);
+ /**
* Destroy the event bus.
*/
void (*destroy) (bus_t *this);
if (all)
{
- keymat_t *keymat;
proposal_t *ike_proposal;
- keymat = ike_sa->get_keymat(ike_sa);
- ike_proposal = keymat->get_proposal(keymat);
+ ike_proposal = ike_sa->get_proposal(ike_sa);
fprintf(out, "%12s[%d]: IKE SPIs: %.16llx_i%s %.16llx_r%s",
ike_sa->get_name(ike_sa), ike_sa->get_unique_id(ike_sa),
auth_info_t *other_auth;
/**
+ * Selected IKE proposal
+ */
+ proposal_t *proposal;
+
+ /**
* Juggles tasks to process messages
*/
task_manager_t *task_manager;
}
/**
+ * Implementation of ike_sa_t.get_proposal
+ */
+static proposal_t* get_proposal(private_ike_sa_t *this)
+{
+ return this->proposal;
+}
+
+/**
+ * Implementation of ike_sa_t.set_proposal
+ */
+static void set_proposal(private_ike_sa_t *this, proposal_t *proposal)
+{
+ DESTROY_IF(this->proposal);
+ this->proposal = proposal->clone(proposal);
+}
+
+/**
* Implementation of ike_sa_t.send_keepalive
*/
static void send_keepalive(private_ike_sa_t *this)
DESTROY_IF(this->peer_cfg);
DESTROY_IF(this->my_auth);
DESTROY_IF(this->other_auth);
+ DESTROY_IF(this->proposal);
this->ike_sa_id->destroy(this->ike_sa_id);
free(this);
this->public.set_peer_cfg = (void (*)(ike_sa_t*,peer_cfg_t*))set_peer_cfg;
this->public.get_my_auth = (auth_info_t*(*)(ike_sa_t*))get_my_auth;
this->public.get_other_auth = (auth_info_t*(*)(ike_sa_t*))get_other_auth;
+ this->public.get_proposal = (proposal_t*(*)(ike_sa_t*))get_proposal;
+ this->public.set_proposal = (void(*)(ike_sa_t*, proposal_t *proposal))set_proposal;
this->public.get_id = (ike_sa_id_t* (*)(ike_sa_t*)) get_id;
this->public.get_my_host = (host_t* (*)(ike_sa_t*)) get_my_host;
this->public.set_my_host = (void (*)(ike_sa_t*,host_t*)) set_my_host;
this->peer_cfg = NULL;
this->my_auth = auth_info_create();
this->other_auth = auth_info_create();
+ this->proposal = NULL;
this->task_manager = task_manager_create(&this->public);
this->unique_id = ++unique_id;
this->my_virtual_ip = NULL;
auth_info_t* (*get_other_auth)(ike_sa_t *this);
/**
+ * Get the selected proposal of this IKE_SA.
+ *
+ * @return selected proposal
+ */
+ proposal_t* (*get_proposal)(ike_sa_t *this);
+
+ /**
+ * Set the proposal selected for this IKE_SA.
+ *
+ * @param selected proposal
+ */
+ void (*set_proposal)(ike_sa_t *this, proposal_t *proposal);
+
+ /**
* Add an additional address for the peer.
*
* In MOBIKE, a peer may transmit additional addresses where it is
* Key to verify incoming authentication data (SKp)
*/
chunk_t skp_verify;
-
- /**
- * Negotiated IKE proposal
- */
- proposal_t *proposal;
};
typedef struct keylen_entry_t keylen_entry_t;
/* all done, prf_plus not needed anymore */
prf_plus->destroy(prf_plus);
- /* save selected proposal */
- this->proposal = proposal->clone(proposal);
-
return TRUE;
}
}
/**
- * Implementation of keymat_t.get_proposal
- */
-static proposal_t* get_proposal(private_keymat_t *this)
-{
- return this->proposal;
-}
-
-/**
* Implementation of keymat_t.get_signer
*/
static signer_t* get_signer(private_keymat_t *this, bool in)
DESTROY_IF(this->crypter_in);
DESTROY_IF(this->crypter_out);
DESTROY_IF(this->prf);
- DESTROY_IF(this->proposal);
chunk_clear(&this->skd);
chunk_clear(&this->skp_verify);
chunk_clear(&this->skp_build);
this->public.create_dh = (diffie_hellman_t*(*)(keymat_t*, diffie_hellman_group_t group))create_dh;
this->public.derive_ike_keys = (bool(*)(keymat_t*, proposal_t *proposal, diffie_hellman_t *dh, chunk_t nonce_i, chunk_t nonce_r, ike_sa_id_t *id, keymat_t *rekey))derive_ike_keys;
this->public.derive_child_keys = (bool(*)(keymat_t*, proposal_t *proposal, diffie_hellman_t *dh, chunk_t nonce_i, chunk_t nonce_r, chunk_t *encr_i, chunk_t *integ_i, chunk_t *encr_r, chunk_t *integ_r))derive_child_keys;
- this->public.get_proposal = (proposal_t*(*)(keymat_t*))get_proposal;
this->public.get_signer = (signer_t*(*)(keymat_t*, bool in))get_signer;
this->public.get_crypter = (crypter_t*(*)(keymat_t*, bool in))get_crypter;
this->public.get_auth_octets = (chunk_t(*)(keymat_t *, bool verify, chunk_t ike_sa_init, chunk_t nonce, identification_t *id))get_auth_octets;
this->crypter_in = NULL;
this->crypter_out = NULL;
this->prf = NULL;
- this->proposal = NULL;
this->skd = chunk_empty;
this->skp_verify = chunk_empty;
this->skp_build = chunk_empty;
crypter_t* (*get_crypter)(keymat_t *this, bool in);
/**
- * Get the selected proposal passed to derive_ike_keys().
- *
- * @return selected proposal
- */
- proposal_t* (*get_proposal)(keymat_t *this);
-
- /**
* Generate octets to use for authentication procedure (RFC4306 2.15).
*
* This method creates the plain octets and is usually signed by a private
static status_t select_and_install(private_child_create_t *this, bool no_dh)
{
status_t status;
- chunk_t encr_i, integ_i, encr_r, integ_r;
+ chunk_t nonce_i, nonce_r, encr_i, integ_i, encr_r, integ_r;
linked_list_t *my_ts, *other_ts;
host_t *me, *other, *other_vip, *my_vip;
if (this->initiator)
{
+ nonce_i = this->my_nonce;
+ nonce_r = this->other_nonce;
my_ts = this->tsi;
other_ts = this->tsr;
}
else
{
+ nonce_r = this->my_nonce;
+ nonce_i = this->other_nonce;
my_ts = this->tsr;
other_ts = this->tsi;
}
}
status = FAILED;
- if (this->initiator)
+ if (this->keymat->derive_child_keys(this->keymat, this->proposal,
+ this->dh, nonce_i, nonce_r, &encr_i, &integ_i, &encr_r, &integ_r))
{
- if (this->keymat->derive_child_keys(this->keymat, this->proposal,
- this->dh, this->my_nonce, this->other_nonce,
- &encr_i, &integ_i, &encr_r, &integ_r))
+ if (this->initiator)
{
status = this->child_sa->update(this->child_sa, this->proposal,
this->mode, integ_r, integ_i, encr_r, encr_i);
}
- }
- else
- {
- if (this->keymat->derive_child_keys(this->keymat, this->proposal,
- this->dh, this->other_nonce, this->my_nonce,
- &encr_i, &integ_i, &encr_r, &integ_r))
+ else
{
status = this->child_sa->add(this->child_sa, this->proposal,
this->mode, integ_i, integ_r, encr_i, encr_r);
DBG1(DBG_IKE, "unable to install IPsec SA (SAD) in kernel");
return FAILED;
}
+
+ charon->bus->child_keys(charon->bus, this->child_sa, this->dh,
+ nonce_i, nonce_r);
+
/* add to IKE_SA, and remove from task */
this->child_sa->set_state(this->child_sa, CHILD_INSTALLED);
this->ike_sa->add_child_sa(this->ike_sa, this->child_sa);
message->add_notify(message, TRUE, NO_PROPOSAL_CHOSEN, chunk_empty);
return FAILED;
}
+ this->ike_sa->set_proposal(this->ike_sa, this->proposal);
if (this->dh == NULL ||
!this->proposal->has_dh_group(this->proposal, this->dh_group))
return FAILED;
}
+ charon->bus->ike_keys(charon->bus, this->ike_sa, this->dh,
+ this->other_nonce, this->my_nonce, this->old_sa);
+
build_payloads(this, message);
return SUCCESS;
}
DBG1(DBG_IKE, "peers proposal selection invalid");
return FAILED;
}
+ this->ike_sa->set_proposal(this->ike_sa, this->proposal);
if (this->dh == NULL ||
!this->proposal->has_dh_group(this->proposal, this->dh_group))
return FAILED;
}
+ charon->bus->ike_keys(charon->bus, this->ike_sa, this->dh,
+ this->my_nonce, this->other_nonce, this->old_sa);
+
return SUCCESS;
}