Moved version specific keymat functions to specific interfaces.
authorTobias Brunner <tobias@strongswan.org>
Fri, 18 Nov 2011 09:56:48 +0000 (10:56 +0100)
committerTobias Brunner <tobias@strongswan.org>
Tue, 20 Mar 2012 16:30:45 +0000 (17:30 +0100)
src/conftest/hooks/pretend_auth.c
src/conftest/hooks/rebuild_auth.c
src/libcharon/sa/authenticators/eap_authenticator.c
src/libcharon/sa/authenticators/psk_authenticator.c
src/libcharon/sa/authenticators/pubkey_authenticator.c
src/libcharon/sa/keymat.h
src/libcharon/sa/keymat_v1.c
src/libcharon/sa/keymat_v2.c
src/libcharon/sa/keymat_v2.h
src/libcharon/sa/tasks/child_create.c
src/libcharon/sa/tasks/ike_init.c

index ff99900..f91b6bf 100644 (file)
@@ -15,6 +15,7 @@
 
 #include "hook.h"
 
+#include <sa/keymat_v2.h>
 #include <encoding/payloads/nonce_payload.h>
 #include <encoding/payloads/cert_payload.h>
 #include <encoding/payloads/auth_payload.h>
@@ -190,7 +191,7 @@ static bool build_auth(private_pretend_auth_t *this,
        auth_payload_t *auth_payload;
        auth_method_t auth_method;
        signature_scheme_t scheme;
-       keymat_t *keymat;
+       keymat_v2_t *keymat;
 
        auth = auth_cfg_create();
        private = lib->credmgr->get_private(lib->credmgr, KEY_ANY, this->id, auth);
@@ -235,7 +236,7 @@ static bool build_auth(private_pretend_auth_t *this,
                                        key_type_names, private->get_type(private));
                        return FALSE;
        }
-       keymat = ike_sa->get_keymat(ike_sa);
+       keymat = (keymat_v2_t*)ike_sa->get_keymat(ike_sa);
        octets = keymat->get_auth_octets(keymat, TRUE, this->ike_init,
                                                                         this->nonce, this->id, this->reserved);
        if (!private->sign(private, scheme, octets, &auth_data))
index 993c952..cf9b113 100644 (file)
@@ -15,6 +15,7 @@
 
 #include "hook.h"
 
+#include <sa/keymat_v2.h>
 #include <encoding/generator.h>
 #include <encoding/payloads/nonce_payload.h>
 #include <encoding/payloads/auth_payload.h>
@@ -62,7 +63,7 @@ static bool rebuild_auth(private_rebuild_auth_t *this, ike_sa_t *ike_sa,
        auth_payload_t *auth_payload;
        auth_method_t auth_method;
        signature_scheme_t scheme;
-       keymat_t *keymat;
+       keymat_v2_t *keymat;
        identification_t *id;
        char reserved[3];
        generator_t *generator;
@@ -137,7 +138,7 @@ static bool rebuild_auth(private_rebuild_auth_t *this, ike_sa_t *ike_sa,
                        id->destroy(id);
                        return FALSE;
        }
-       keymat = ike_sa->get_keymat(ike_sa);
+       keymat = (keymat_v2_t*)ike_sa->get_keymat(ike_sa);
        octets = keymat->get_auth_octets(keymat, FALSE, this->ike_init,
                                                                         this->nonce, id, reserved);
        if (!private->sign(private, scheme, octets, &auth_data))
index c85a45f..d36d544 100644 (file)
@@ -16,6 +16,7 @@
 #include "eap_authenticator.h"
 
 #include <daemon.h>
+#include <sa/keymat_v2.h>
 #include <sa/authenticators/eap/eap_method.h>
 #include <encoding/payloads/auth_payload.h>
 #include <encoding/payloads/eap_payload.h>
@@ -376,7 +377,7 @@ static eap_payload_t* client_process_eap(private_eap_authenticator_t *this,
                if (vendor)
                {
                        DBG1(DBG_IKE, "server requested vendor specific EAP method %d-%d ",
-                                                 "(id 0x%02X)", type, vendor, in->get_identifier(in));
+                                                 "(id 0x%02X)", type, vendor, in->get_identifier(in));
                }
                else
                {
@@ -419,7 +420,7 @@ static bool verify_auth(private_eap_authenticator_t *this, message_t *message,
        chunk_t auth_data, recv_auth_data;
        identification_t *other_id;
        auth_cfg_t *auth;
-       keymat_t *keymat;
+       keymat_v2_t *keymat;
 
        auth_payload = (auth_payload_t*)message->get_payload(message,
                                                                                                                 AUTHENTICATION);
@@ -429,7 +430,7 @@ static bool verify_auth(private_eap_authenticator_t *this, message_t *message,
                return FALSE;
        }
        other_id = this->ike_sa->get_other_id(this->ike_sa);
-       keymat = this->ike_sa->get_keymat(this->ike_sa);
+       keymat = (keymat_v2_t*)this->ike_sa->get_keymat(this->ike_sa);
        auth_data = keymat->get_psk_sig(keymat, TRUE, init, nonce,
                                                                        this->msk, other_id, this->reserved);
        recv_auth_data = auth_payload->get_data(auth_payload);
@@ -459,10 +460,10 @@ static void build_auth(private_eap_authenticator_t *this, message_t *message,
        auth_payload_t *auth_payload;
        identification_t *my_id;
        chunk_t auth_data;
-       keymat_t *keymat;
+       keymat_v2_t *keymat;
 
        my_id = this->ike_sa->get_my_id(this->ike_sa);
-       keymat = this->ike_sa->get_keymat(this->ike_sa);
+       keymat = (keymat_v2_t*)this->ike_sa->get_keymat(this->ike_sa);
 
        DBG1(DBG_IKE, "authentication of '%Y' (myself) with %N",
                 my_id, auth_class_names, AUTH_CLASS_EAP);
index 21fc0f9..26c7225 100644 (file)
@@ -18,6 +18,7 @@
 
 #include <daemon.h>
 #include <encoding/payloads/auth_payload.h>
+#include <sa/keymat_v2.h>
 
 typedef struct private_psk_authenticator_t private_psk_authenticator_t;
 
@@ -59,9 +60,9 @@ METHOD(authenticator_t, build, status_t,
        auth_payload_t *auth_payload;
        shared_key_t *key;
        chunk_t auth_data;
-       keymat_t *keymat;
+       keymat_v2_t *keymat;
 
-       keymat = this->ike_sa->get_keymat(this->ike_sa);
+       keymat = (keymat_v2_t*)this->ike_sa->get_keymat(this->ike_sa);
        my_id = this->ike_sa->get_my_id(this->ike_sa);
        other_id = this->ike_sa->get_other_id(this->ike_sa);
        DBG1(DBG_IKE, "authentication of '%Y' (myself) with %N",
@@ -96,14 +97,14 @@ METHOD(authenticator_t, process, status_t,
        enumerator_t *enumerator;
        bool authenticated = FALSE;
        int keys_found = 0;
-       keymat_t *keymat;
+       keymat_v2_t *keymat;
 
        auth_payload = (auth_payload_t*)message->get_payload(message, AUTHENTICATION);
        if (!auth_payload)
        {
                return FAILED;
        }
-       keymat = this->ike_sa->get_keymat(this->ike_sa);
+       keymat = (keymat_v2_t*)this->ike_sa->get_keymat(this->ike_sa);
        recv_auth_data = auth_payload->get_data(auth_payload);
        my_id = this->ike_sa->get_my_id(this->ike_sa);
        other_id = this->ike_sa->get_other_id(this->ike_sa);
index 2478916..df5b06a 100644 (file)
@@ -19,6 +19,7 @@
 
 #include <daemon.h>
 #include <encoding/payloads/auth_payload.h>
+#include <sa/keymat_v2.h>
 
 typedef struct private_pubkey_authenticator_t private_pubkey_authenticator_t;
 
@@ -64,7 +65,7 @@ METHOD(authenticator_t, build, status_t,
        auth_payload_t *auth_payload;
        auth_method_t auth_method;
        signature_scheme_t scheme;
-       keymat_t *keymat;
+       keymat_v2_t *keymat;
 
        id = this->ike_sa->get_my_id(this->ike_sa);
        auth = this->ike_sa->get_auth_cfg(this->ike_sa, TRUE);
@@ -110,7 +111,7 @@ METHOD(authenticator_t, build, status_t,
                                        key_type_names, private->get_type(private));
                        return status;
        }
-       keymat = this->ike_sa->get_keymat(this->ike_sa);
+       keymat = (keymat_v2_t*)this->ike_sa->get_keymat(this->ike_sa);
        octets = keymat->get_auth_octets(keymat, FALSE, this->ike_sa_init,
                                                                         this->nonce, id, this->reserved);
        if (private->sign(private, scheme, octets, &auth_data))
@@ -144,7 +145,7 @@ METHOD(authenticator_t, process, status_t,
        key_type_t key_type = KEY_ECDSA;
        signature_scheme_t scheme;
        status_t status = NOT_FOUND;
-       keymat_t *keymat;
+       keymat_v2_t *keymat;
 
        auth_payload = (auth_payload_t*)message->get_payload(message, AUTHENTICATION);
        if (!auth_payload)
@@ -174,7 +175,7 @@ METHOD(authenticator_t, process, status_t,
        }
        auth_data = auth_payload->get_data(auth_payload);
        id = this->ike_sa->get_other_id(this->ike_sa);
-       keymat = this->ike_sa->get_keymat(this->ike_sa);
+       keymat = (keymat_v2_t*)this->ike_sa->get_keymat(this->ike_sa);
        octets = keymat->get_auth_octets(keymat, TRUE, this->ike_sa_init,
                                                                         this->nonce, id, this->reserved);
        auth = this->ike_sa->get_auth_cfg(this->ike_sa, FALSE);
index 7867898..5860044 100644 (file)
@@ -46,58 +46,8 @@ struct keymat_t {
         * @param group                 diffie hellman group
         * @return                              DH object, NULL if group not supported
         */
-       diffie_hellman_t* (*create_dh)(keymat_t *this, diffie_hellman_group_t group);
-
-       /**
-        * Derive keys for the IKE_SA.
-        *
-        * These keys are not handed out, but are used by the associated signers,
-        * crypters and authentication functions.
-        *
-        * @param proposal      selected algorithms
-        * @param dh            diffie hellman key allocated by create_dh()
-        * @param nonce_i       initiators nonce value
-        * @param nonce_r       responders nonce value
-        * @param id            IKE_SA identifier
-        * @param rekey_prf     PRF of old SA if rekeying, PRF_UNDEFINED otherwise
-        * @param rekey_sdk     SKd of old SA if rekeying
-        * @return                      TRUE on success
-        */
-       bool (*derive_ike_keys)(keymat_t *this, proposal_t *proposal,
-                                                       diffie_hellman_t *dh, chunk_t nonce_i,
-                                                       chunk_t nonce_r, ike_sa_id_t *id,
-                                                       pseudo_random_function_t rekey_function,
-                                                       chunk_t rekey_skd);
-       /**
-        * Derive keys for a CHILD_SA.
-        *
-        * The keys for the CHILD_SA are allocated in the integ and encr chunks.
-        * An implementation might hand out encrypted keys only, which are
-        * decrypted in the kernel before use.
-        * If no PFS is used for the CHILD_SA, dh can be NULL.
-        *
-        * @param proposal      selected algorithms
-        * @param dh            diffie hellman key allocated by create_dh(), or NULL
-        * @param nonce_i       initiators nonce value
-        * @param nonce_r       responders nonce value
-        * @param encr_i        chunk to write initiators encryption key to
-        * @param integ_i       chunk to write initiators integrity key to
-        * @param encr_r        chunk to write responders encryption key to
-        * @param integ_r       chunk to write responders integrity key to
-        * @return                      TRUE on success
-        */
-       bool (*derive_child_keys)(keymat_t *this,
-                                                         proposal_t *proposal, diffie_hellman_t *dh,
-                                                         chunk_t nonce_i, chunk_t nonce_r,
-                                                         chunk_t *encr_i, chunk_t *integ_i,
-                                                         chunk_t *encr_r, chunk_t *integ_r);
-       /**
-        * Get SKd to pass to derive_ikey_keys() during rekeying.
-        *
-        * @param skd           chunk to write SKd to (internal data)
-        * @return                      PRF function to derive keymat
-        */
-       pseudo_random_function_t (*get_skd)(keymat_t *this, chunk_t *skd);
+       diffie_hellman_t* (*create_dh)(keymat_t *this,
+                                                                  diffie_hellman_group_t group);
 
        /*
         * Get a AEAD transform to en-/decrypt and sign/verify IKE messages.
@@ -108,41 +58,6 @@ struct keymat_t {
        aead_t* (*get_aead)(keymat_t *this, bool in);
 
        /**
-        * Generate octets to use for authentication procedure (RFC4306 2.15).
-        *
-        * This method creates the plain octets and is usually signed by a private
-        * key. PSK and EAP authentication include a secret into the data, use
-        * the get_psk_sig() method instead.
-        *
-        * @param verify                TRUE to create for verfification, FALSE to sign
-        * @param ike_sa_init   encoded ike_sa_init message
-        * @param nonce                 nonce value
-        * @param id                    identity
-        * @param reserved              reserved bytes of id_payload
-        * @return                              authentication octets
-        */
-       chunk_t (*get_auth_octets)(keymat_t *this, bool verify, chunk_t ike_sa_init,
-                                                          chunk_t nonce, identification_t *id,
-                                                          char reserved[3]);
-       /**
-        * Build the shared secret signature used for PSK and EAP authentication.
-        *
-        * This method wraps the get_auth_octets() method and additionally
-        * includes the secret into the signature. If no secret is given, SK_p is
-        * used as secret (used for EAP methods without MSK).
-        *
-        * @param verify                TRUE to create for verfification, FALSE to sign
-        * @param ike_sa_init   encoded ike_sa_init message
-        * @param nonce                 nonce value
-        * @param secret                optional secret to include into signature
-        * @param id                    identity
-        * @param reserved              reserved bytes of id_payload
-        * @return                              signature octets
-        */
-       chunk_t (*get_psk_sig)(keymat_t *this, bool verify, chunk_t ike_sa_init,
-                                                  chunk_t nonce, chunk_t secret,
-                                                  identification_t *id, char reserved[3]);
-       /**
         * Destroy a keymat_t.
         */
        void (*destroy)(keymat_t *this);
index f73366d..e4f58a4 100644 (file)
@@ -81,20 +81,6 @@ METHOD(keymat_t, get_aead, aead_t*,
        return NULL;
 }
 
-METHOD(keymat_t, get_auth_octets, chunk_t,
-       private_keymat_v1_t *this, bool verify, chunk_t ike_sa_init,
-       chunk_t nonce, identification_t *id, char reserved[3])
-{
-       return chunk_empty;
-}
-
-METHOD(keymat_t, get_psk_sig, chunk_t,
-       private_keymat_v1_t *this, bool verify, chunk_t ike_sa_init,
-       chunk_t nonce, chunk_t secret, identification_t *id, char reserved[3])
-{
-       return chunk_empty;
-}
-
 METHOD(keymat_t, destroy, void,
        private_keymat_v1_t *this)
 {
@@ -113,12 +99,7 @@ keymat_v1_t *keymat_v1_create(bool initiator)
                .public = {
                        .keymat = {
                                .create_dh = _create_dh,
-                               .derive_ike_keys = _derive_ike_keys,
-                               .derive_child_keys = _derive_child_keys,
-                               .get_skd = _get_skd,
                                .get_aead = _get_aead,
-                               .get_auth_octets = _get_auth_octets,
-                               .get_psk_sig = _get_psk_sig,
                                .destroy = _destroy,
                        },
                },
index 562a72f..9fd1732 100644 (file)
@@ -127,7 +127,7 @@ static int lookup_keylen(keylen_entry_t *list, int algo)
 METHOD(keymat_t, create_dh, diffie_hellman_t*,
        private_keymat_v2_t *this, diffie_hellman_group_t group)
 {
-       return lib->crypto->create_dh(lib->crypto, group);;
+       return lib->crypto->create_dh(lib->crypto, group);
 }
 
 /**
@@ -244,7 +244,7 @@ static bool derive_ike_traditional(private_keymat_v2_t *this, u_int16_t enc_alg,
        return TRUE;
 }
 
-METHOD(keymat_t, derive_ike_keys, bool,
+METHOD(keymat_v2_t, derive_ike_keys, bool,
        private_keymat_v2_t *this, proposal_t *proposal, diffie_hellman_t *dh,
        chunk_t nonce_i, chunk_t nonce_r, ike_sa_id_t *id,
        pseudo_random_function_t rekey_function, chunk_t rekey_skd)
@@ -420,7 +420,7 @@ METHOD(keymat_t, derive_ike_keys, bool,
        return TRUE;
 }
 
-METHOD(keymat_t, derive_child_keys, bool,
+METHOD(keymat_v2_t, derive_child_keys, bool,
        private_keymat_v2_t *this, proposal_t *proposal, diffie_hellman_t *dh,
        chunk_t nonce_i, chunk_t nonce_r, chunk_t *encr_i, chunk_t *integ_i,
        chunk_t *encr_r, chunk_t *integ_r)
@@ -525,7 +525,7 @@ METHOD(keymat_t, derive_child_keys, bool,
        return TRUE;
 }
 
-METHOD(keymat_t, get_skd, pseudo_random_function_t,
+METHOD(keymat_v2_t, get_skd, pseudo_random_function_t,
        private_keymat_v2_t *this, chunk_t *skd)
 {
        *skd = this->skd;
@@ -538,7 +538,7 @@ METHOD(keymat_t, get_aead, aead_t*,
        return in ? this->aead_in : this->aead_out;
 }
 
-METHOD(keymat_t, get_auth_octets, chunk_t,
+METHOD(keymat_v2_t, get_auth_octets, chunk_t,
        private_keymat_v2_t *this, bool verify, chunk_t ike_sa_init,
        chunk_t nonce, identification_t *id, char reserved[3])
 {
@@ -568,7 +568,7 @@ METHOD(keymat_t, get_auth_octets, chunk_t,
 #define IKEV2_KEY_PAD "Key Pad for IKEv2"
 #define IKEV2_KEY_PAD_LENGTH 17
 
-METHOD(keymat_t, get_psk_sig, chunk_t,
+METHOD(keymat_v2_t, get_psk_sig, chunk_t,
        private_keymat_v2_t *this, bool verify, chunk_t ike_sa_init,
        chunk_t nonce, chunk_t secret, identification_t *id, char reserved[3])
 {
@@ -617,14 +617,14 @@ keymat_v2_t *keymat_v2_create(bool initiator)
                .public = {
                        .keymat = {
                                .create_dh = _create_dh,
-                               .derive_ike_keys = _derive_ike_keys,
-                               .derive_child_keys = _derive_child_keys,
-                               .get_skd = _get_skd,
                                .get_aead = _get_aead,
-                               .get_auth_octets = _get_auth_octets,
-                               .get_psk_sig = _get_psk_sig,
                                .destroy = _destroy,
                        },
+                       .derive_ike_keys = _derive_ike_keys,
+                       .derive_child_keys = _derive_child_keys,
+                       .get_skd = _get_skd,
+                       .get_auth_octets = _get_auth_octets,
+                       .get_psk_sig = _get_psk_sig,
                },
                .initiator = initiator,
                .prf_alg = PRF_UNDEFINED,
index 6026a02..b33e713 100644 (file)
@@ -34,6 +34,94 @@ struct keymat_v2_t {
         * Implements keymat_t.
         */
        keymat_t keymat;
+
+       /**
+        * Derive keys for the IKE_SA.
+        *
+        * These keys are not handed out, but are used by the associated signers,
+        * crypters and authentication functions.
+        *
+        * @param proposal      selected algorithms
+        * @param dh            diffie hellman key allocated by create_dh()
+        * @param nonce_i       initiators nonce value
+        * @param nonce_r       responders nonce value
+        * @param id            IKE_SA identifier
+        * @param rekey_prf     PRF of old SA if rekeying, PRF_UNDEFINED otherwise
+        * @param rekey_sdk     SKd of old SA if rekeying
+        * @return                      TRUE on success
+        */
+       bool (*derive_ike_keys)(keymat_v2_t *this, proposal_t *proposal,
+                                                       diffie_hellman_t *dh, chunk_t nonce_i,
+                                                       chunk_t nonce_r, ike_sa_id_t *id,
+                                                       pseudo_random_function_t rekey_function,
+                                                       chunk_t rekey_skd);
+
+       /**
+        * Derive keys for a CHILD_SA.
+        *
+        * The keys for the CHILD_SA are allocated in the integ and encr chunks.
+        * An implementation might hand out encrypted keys only, which are
+        * decrypted in the kernel before use.
+        * If no PFS is used for the CHILD_SA, dh can be NULL.
+        *
+        * @param proposal      selected algorithms
+        * @param dh            diffie hellman key allocated by create_dh(), or NULL
+        * @param nonce_i       initiators nonce value
+        * @param nonce_r       responders nonce value
+        * @param encr_i        chunk to write initiators encryption key to
+        * @param integ_i       chunk to write initiators integrity key to
+        * @param encr_r        chunk to write responders encryption key to
+        * @param integ_r       chunk to write responders integrity key to
+        * @return                      TRUE on success
+        */
+       bool (*derive_child_keys)(keymat_v2_t *this,
+                                                         proposal_t *proposal, diffie_hellman_t *dh,
+                                                         chunk_t nonce_i, chunk_t nonce_r,
+                                                         chunk_t *encr_i, chunk_t *integ_i,
+                                                         chunk_t *encr_r, chunk_t *integ_r);
+       /**
+        * Get SKd to pass to derive_ikey_keys() during rekeying.
+        *
+        * @param skd           chunk to write SKd to (internal data)
+        * @return                      PRF function to derive keymat
+        */
+       pseudo_random_function_t (*get_skd)(keymat_v2_t *this, chunk_t *skd);
+
+       /**
+        * Generate octets to use for authentication procedure (RFC4306 2.15).
+        *
+        * This method creates the plain octets and is usually signed by a private
+        * key. PSK and EAP authentication include a secret into the data, use
+        * the get_psk_sig() method instead.
+        *
+        * @param verify                TRUE to create for verfification, FALSE to sign
+        * @param ike_sa_init   encoded ike_sa_init message
+        * @param nonce                 nonce value
+        * @param id                    identity
+        * @param reserved              reserved bytes of id_payload
+        * @return                              authentication octets
+        */
+       chunk_t (*get_auth_octets)(keymat_v2_t *this, bool verify,
+                                                          chunk_t ike_sa_init, chunk_t nonce,
+                                                          identification_t *id, char reserved[3]);
+       /**
+        * Build the shared secret signature used for PSK and EAP authentication.
+        *
+        * This method wraps the get_auth_octets() method and additionally
+        * includes the secret into the signature. If no secret is given, SK_p is
+        * used as secret (used for EAP methods without MSK).
+        *
+        * @param verify                TRUE to create for verfification, FALSE to sign
+        * @param ike_sa_init   encoded ike_sa_init message
+        * @param nonce                 nonce value
+        * @param secret                optional secret to include into signature
+        * @param id                    identity
+        * @param reserved              reserved bytes of id_payload
+        * @return                              signature octets
+        */
+       chunk_t (*get_psk_sig)(keymat_v2_t *this, bool verify, chunk_t ike_sa_init,
+                                                  chunk_t nonce, chunk_t secret,
+                                                  identification_t *id, char reserved[3]);
 };
 
 /**
index 7a89e6f..b0d50ef 100644 (file)
@@ -18,6 +18,7 @@
 #include "child_create.h"
 
 #include <daemon.h>
+#include <sa/keymat_v2.h>
 #include <crypto/diffie_hellman.h>
 #include <credentials/certificates/x509.h>
 #include <encoding/payloads/sa_payload.h>
@@ -109,7 +110,7 @@ struct private_child_create_t {
        /**
         * IKE_SAs keymat
         */
-       keymat_t *keymat;
+       keymat_v2_t *keymat;
 
        /**
         * mode the new CHILD_SA uses (transport/tunnel/beet)
@@ -683,7 +684,8 @@ static void process_payloads(private_child_create_t *this, message_t *message)
                                if (!this->initiator)
                                {
                                        this->dh_group = ke_payload->get_dh_group_number(ke_payload);
-                                       this->dh = this->keymat->create_dh(this->keymat, this->dh_group);
+                                       this->dh = this->keymat->keymat.create_dh(
+                                                                               &this->keymat->keymat, this->dh_group);
                                }
                                if (this->dh)
                                {
@@ -815,7 +817,8 @@ METHOD(task_t, build_i, status_t,
 
        if (this->dh_group != MODP_NONE)
        {
-               this->dh = this->keymat->create_dh(this->keymat, this->dh_group);
+               this->dh = this->keymat->keymat.create_dh(&this->keymat->keymat,
+                                                                                                 this->dh_group);
        }
 
        if (this->config->use_ipcomp(this->config))
@@ -1307,7 +1310,7 @@ child_create_t *child_create_create(ike_sa_t *ike_sa,
                .packet_tsi = tsi ? tsi->clone(tsi) : NULL,
                .packet_tsr = tsr ? tsr->clone(tsr) : NULL,
                .dh_group = MODP_NONE,
-               .keymat = ike_sa->get_keymat(ike_sa),
+               .keymat = (keymat_v2_t*)ike_sa->get_keymat(ike_sa),
                .mode = MODE_TUNNEL,
                .tfcv3 = TRUE,
                .ipcomp = IPCOMP_NONE,
index 3907567..868680b 100644 (file)
@@ -20,6 +20,7 @@
 #include <string.h>
 
 #include <daemon.h>
+#include <sa/keymat_v2.h>
 #include <crypto/diffie_hellman.h>
 #include <encoding/payloads/sa_payload.h>
 #include <encoding/payloads/ke_payload.h>
@@ -68,7 +69,7 @@ struct private_ike_init_t {
        /**
         * Keymat derivation (from IKE_SA)
         */
-       keymat_t *keymat;
+       keymat_v2_t *keymat;
 
        /**
         * nonce chosen by us
@@ -199,8 +200,8 @@ static void process_payloads(private_ike_init_t *this, message_t *message)
                                this->dh_group = ke_payload->get_dh_group_number(ke_payload);
                                if (!this->initiator)
                                {
-                                       this->dh = this->keymat->create_dh(this->keymat,
-                                                                                                          this->dh_group);
+                                       this->dh = this->keymat->keymat.create_dh(
+                                                                               &this->keymat->keymat, this->dh_group);
                                }
                                if (this->dh)
                                {
@@ -245,7 +246,8 @@ METHOD(task_t, build_i, status_t,
        if (!this->dh)
        {
                this->dh_group = this->config->get_dh_group(this->config);
-               this->dh = this->keymat->create_dh(this->keymat, this->dh_group);
+               this->dh = this->keymat->keymat.create_dh(&this->keymat->keymat,
+                                                                                                 this->dh_group);
                if (!this->dh)
                {
                        DBG1(DBG_IKE, "configured DH group %N not supported",
@@ -329,7 +331,7 @@ METHOD(task_t, process_r,  status_t,
 static bool derive_keys(private_ike_init_t *this,
                                                chunk_t nonce_i, chunk_t nonce_r)
 {
-       keymat_t *old_keymat;
+       keymat_v2_t *old_keymat;
        pseudo_random_function_t prf_alg = PRF_UNDEFINED;
        chunk_t skd = chunk_empty;
        ike_sa_id_t *id;
@@ -338,7 +340,7 @@ static bool derive_keys(private_ike_init_t *this,
        if (this->old_sa)
        {
                /* rekeying: Include old SKd, use old PRF, apply SPI */
-               old_keymat = this->old_sa->get_keymat(this->old_sa);
+               old_keymat = (keymat_v2_t*)this->old_sa->get_keymat(this->old_sa);
                prf_alg = old_keymat->get_skd(old_keymat, &skd);
                if (this->initiator)
                {
@@ -517,10 +519,11 @@ METHOD(task_t, migrate, void,
        chunk_free(&this->other_nonce);
 
        this->ike_sa = ike_sa;
-       this->keymat = ike_sa->get_keymat(ike_sa);
+       this->keymat = (keymat_v2_t*)ike_sa->get_keymat(ike_sa);
        this->proposal = NULL;
        DESTROY_IF(this->dh);
-       this->dh = this->keymat->create_dh(this->keymat, this->dh_group);
+       this->dh = this->keymat->keymat.create_dh(&this->keymat->keymat,
+                                                                                         this->dh_group);
 }
 
 METHOD(task_t, destroy, void,
@@ -567,7 +570,7 @@ ike_init_t *ike_init_create(ike_sa_t *ike_sa, bool initiator, ike_sa_t *old_sa)
                .ike_sa = ike_sa,
                .initiator = initiator,
                .dh_group = MODP_NONE,
-               .keymat = ike_sa->get_keymat(ike_sa),
+               .keymat = (keymat_v2_t*)ike_sa->get_keymat(ike_sa),
                .old_sa = old_sa,
        );