return lib->crypto->create_nonce_gen(lib->crypto);
}
-METHOD(tkm_keymat_t, derive_ike_keys, bool,
+METHOD(keymat_v2_t, derive_ike_keys, bool,
private_tkm_keymat_t *this, proposal_t *proposal, diffie_hellman_t *dh,
chunk_t nonce_i, chunk_t nonce_r, ike_sa_id_t *id,
pseudo_random_function_t rekey_function, chunk_t rekey_skd)
return TRUE;
}
-METHOD(tkm_keymat_t, derive_child_keys, bool,
+METHOD(keymat_v2_t, derive_child_keys, bool,
private_tkm_keymat_t *this, proposal_t *proposal, diffie_hellman_t *dh,
chunk_t nonce_i, chunk_t nonce_r, chunk_t *encr_i, chunk_t *integ_i,
chunk_t *encr_r, chunk_t *integ_r)
return in ? this->aead_in : this->aead_out;
}
-METHOD(tkm_keymat_t, get_auth_octets, bool,
+METHOD(keymat_v2_t, get_auth_octets, bool,
private_tkm_keymat_t *this, bool verify, chunk_t ike_sa_init,
chunk_t nonce, identification_t *id, char reserved[3], chunk_t *octets)
{
return TRUE;
}
-METHOD(tkm_keymat_t, get_skd, pseudo_random_function_t,
+METHOD(keymat_v2_t, get_skd, pseudo_random_function_t,
private_tkm_keymat_t *this, chunk_t *skd)
{
*skd = chunk_clone(chunk_from_thing(this->isa_ctx_id));
return PRF_HMAC_SHA2_512;
}
-METHOD(tkm_keymat_t, get_psk_sig, bool,
+METHOD(keymat_v2_t, get_psk_sig, bool,
private_tkm_keymat_t *this, bool verify, chunk_t ike_sa_init, chunk_t nonce,
chunk_t secret, identification_t *id, char reserved[3], chunk_t *sig)
{
INIT(this,
.public = {
- .keymat = {
- .get_version = _get_version,
- .create_dh = _create_dh,
- .create_nonce_gen = _create_nonce_gen,
- .get_aead = _get_aead,
- .destroy = _destroy,
+ .keymat_v2 = {
+ .keymat = {
+ .get_version = _get_version,
+ .create_dh = _create_dh,
+ .create_nonce_gen = _create_nonce_gen,
+ .get_aead = _get_aead,
+ .destroy = _destroy,
+ },
+ .derive_ike_keys = _derive_ike_keys,
+ .derive_child_keys = _derive_child_keys,
+ .get_skd = _get_skd,
+ .get_auth_octets = _get_auth_octets,
+ .get_psk_sig = _get_psk_sig,
},
- .derive_ike_keys = _derive_ike_keys,
- .derive_child_keys = _derive_child_keys,
- .get_skd = _get_skd,
- .get_auth_octets = _get_auth_octets,
- .get_psk_sig = _get_psk_sig,
.get_isa_id = _get_isa_id,
.set_auth_payload = _set_auth_payload,
.get_auth_payload = _get_auth_payload,
#ifndef TKM_KEYMAT_H_
#define TKM_KEYMAT_H_
-#include <sa/keymat.h>
+#include <sa/ikev2/keymat_v2.h>
typedef struct tkm_keymat_t tkm_keymat_t;
struct tkm_keymat_t {
/**
- * Implements keymat_t.
+ * Implements keymat_v2_t.
*/
- keymat_t keymat;
-
- /**
- * Use TKM to derive IKE key material.
- *
- * @param proposal selected algorithms
- * @param dh diffie hellman key allocated by create_dh()
- * @param nonce_i initiators nonce value
- * @param nonce_r responders nonce value
- * @param id IKE_SA identifier
- * @param rekey_prf PRF of old SA if rekeying, PRF_UNDEFINED otherwise
- * @param rekey_skd SKd of old SA if rekeying
- * @return TRUE on success
- */
- bool (*derive_ike_keys)(tkm_keymat_t *this, proposal_t *proposal,
- diffie_hellman_t *dh, chunk_t nonce_i,
- chunk_t nonce_r, ike_sa_id_t *id,
- pseudo_random_function_t rekey_function,
- chunk_t rekey_skd);
-
- /**
- * Use TKM to derive child key material.
- *
- * @param proposal selected algorithms
- * @param dh diffie hellman key allocated by create_dh(), or NULL
- * @param nonce_i initiators nonce value
- * @param nonce_r responders nonce value
- * @param encr_i handle to initiators encryption key
- * @param integ_i handle to initiators integrity key
- * @param encr_r handle to responders encryption key
- * @param integ_r handle to responders integrity key
- * @return TRUE on success
- */
- bool (*derive_child_keys)(tkm_keymat_t *this,
- proposal_t *proposal, diffie_hellman_t *dh,
- chunk_t nonce_i, chunk_t nonce_r,
- chunk_t *encr_i, chunk_t *integ_i,
- chunk_t *encr_r, chunk_t *integ_r);
-
- /**
- * Use TKM to generate auth octets.
- *
- * @param verify TRUE to create for verfification, FALSE to sign
- * @param ike_sa_init encoded ike_sa_init message
- * @param nonce nonce value
- * @param id identity
- * @param reserved reserved bytes of id_payload
- * @param octests chunk receiving allocated auth octets
- * @return TRUE if octets created successfully
- */
- bool (*get_auth_octets)(tkm_keymat_t *this, bool verify, chunk_t ike_sa_init,
- chunk_t nonce, identification_t *id,
- char reserved[3], chunk_t *octets);
-
- /**
- * Get SKd and PRF to derive keymat.
- *
- * @param skd chunk to write SKd to (internal data)
- * @return PRF function to derive keymat
- */
- pseudo_random_function_t (*get_skd)(tkm_keymat_t *this, chunk_t *skd);
-
- /**
- * Build the shared secret signature used for PSK and EAP authentication.
- *
- * @param verify TRUE to create for verfification, FALSE to sign
- * @param ike_sa_init encoded ike_sa_init message
- * @param nonce nonce value
- * @param secret optional secret to include into signature
- * @param id identity
- * @param reserved reserved bytes of id_payload
- * @param sign chunk receiving allocated signature octets
- * @return TRUE if signature created successfully
- */
- bool (*get_psk_sig)(tkm_keymat_t *this, bool verify, chunk_t ike_sa_init,
- chunk_t nonce, chunk_t secret,
- identification_t *id, char reserved[3], chunk_t *sig);
+ keymat_v2_t keymat_v2;
/**
* Get ISA context id.
dh->dh.get_my_public_value(&dh->dh, &pubvalue);
dh->dh.set_other_public_value(&dh->dh, pubvalue);
- fail_unless(keymat->derive_ike_keys(keymat, proposal, &dh->dh, nonce, nonce,
- ike_sa_id, PRF_UNDEFINED, chunk_empty), "Key derivation failed");
+ fail_unless(keymat->keymat_v2.derive_ike_keys(&keymat->keymat_v2, proposal,
+ &dh->dh, nonce, nonce, ike_sa_id, PRF_UNDEFINED, chunk_empty),
+ "Key derivation failed");
chunk_free(&nonce);
- aead_t * const aead = keymat->keymat.get_aead(&keymat->keymat, TRUE);
+ aead_t * const aead = keymat->keymat_v2.keymat.get_aead(&keymat->keymat_v2.keymat, TRUE);
fail_if(!aead, "AEAD is NULL");
fail_if(aead->get_key_size(aead) != 96, "Key size mismatch %d",
proposal->destroy(proposal);
dh->dh.destroy(&dh->dh);
ike_sa_id->destroy(ike_sa_id);
- keymat->keymat.destroy(&keymat->keymat);
+ keymat->keymat_v2.keymat.destroy(&keymat->keymat_v2.keymat);
chunk_free(&pubvalue);
libcharon_deinit();
chunk_t encr_i, encr_r, integ_i, integ_r;
chunk_t nonce = chunk_from_chars("test chunk");
- fail_unless(keymat->derive_child_keys(keymat, proposal, (diffie_hellman_t *)dh, nonce, nonce,
- &encr_i, &integ_i, &encr_r, &integ_r),
+ fail_unless(keymat->keymat_v2.derive_child_keys(&keymat->keymat_v2, proposal,
+ (diffie_hellman_t *)dh,
+ nonce, nonce, &encr_i,
+ &integ_i, &encr_r, &integ_r),
"Child key derivation failed");
esa_info_t *info = (esa_info_t *)encr_i.ptr;
proposal->destroy(proposal);
dh->dh.destroy(&dh->dh);
- keymat->keymat.destroy(&keymat->keymat);
+ keymat->keymat_v2.keymat.destroy(&keymat->keymat_v2.keymat);
chunk_free(&encr_i);
chunk_free(&encr_r);