]> git.ipfire.org Git - people/ms/strongswan.git/blob - src/libcharon/sa/ikev2/keymat_v2.c
projects / people / ms / strongswan.git / blob
? search:


85f891f7f55136326caa922385d61c42bbfec59c
[people/ms/strongswan.git] / src / libcharon / sa / ikev2 / keymat_v2.c
1 /*
2 * Copyright (C) 2008 Martin Willi
3 * Hochschule fuer Technik Rapperswil
4 *
5 * This program is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License as published by the
7 * Free Software Foundation; either version 2 of the License, or (at your
8 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
9 *
10 * This program is distributed in the hope that it will be useful, but
11 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
12 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
13 * for more details.
14 */
15
16 #include "keymat_v2.h"
17
18 #include <daemon.h>
19 #include <crypto/prf_plus.h>
20
21 typedef struct private_keymat_v2_t private_keymat_v2_t;
22
23 /**
24 * Private data of an keymat_t object.
25 */
26 struct private_keymat_v2_t {
27
28 /**
29 * Public keymat_v2_t interface.
30 */
31 keymat_v2_t public;
32
33 /**
34 * IKE_SA Role, initiator or responder
35 */
36 bool initiator;
37
38 /**
39 * inbound AEAD
40 */
41 aead_t *aead_in;
42
43 /**
44 * outbound AEAD
45 */
46 aead_t *aead_out;
47
48 /**
49 * General purpose PRF
50 */
51 prf_t *prf;
52
53 /**
54 * Negotiated PRF algorithm
55 */
56 pseudo_random_function_t prf_alg;
57
58 /**
59 * Key to derive key material from for CHILD_SAs, rekeying
60 */
61 chunk_t skd;
62
63 /**
64 * Key to build outging authentication data (SKp)
65 */
66 chunk_t skp_build;
67
68 /**
69 * Key to verify incoming authentication data (SKp)
70 */
71 chunk_t skp_verify;
72 };
73
74 METHOD(keymat_t, get_version, ike_version_t,
75 private_keymat_v2_t *this)
76 {
77 return IKEV2;
78 }
79
80 METHOD(keymat_t, create_dh, diffie_hellman_t*,
81 private_keymat_v2_t *this, diffie_hellman_group_t group)
82 {
83 return lib->crypto->create_dh(lib->crypto, group);
84 }
85
86 METHOD(keymat_t, create_nonce_gen, nonce_gen_t*,
87 private_keymat_v2_t *this)
88 {
89 return lib->crypto->create_nonce_gen(lib->crypto);
90 }
91
92 /**
93 * Derive IKE keys for a combined AEAD algorithm
94 */
95 static bool derive_ike_aead(private_keymat_v2_t *this, u_int16_t alg,
96 u_int16_t key_size, prf_plus_t *prf_plus)
97 {
98 aead_t *aead_i, *aead_r;
99 chunk_t key = chunk_empty;
100
101 /* SK_ei/SK_er used for encryption */
102 aead_i = lib->crypto->create_aead(lib->crypto, alg, key_size / 8);
103 aead_r = lib->crypto->create_aead(lib->crypto, alg, key_size / 8);
104 if (aead_i == NULL || aead_r == NULL)
105 {
106 DBG1(DBG_IKE, "%N %N (key size %d) not supported!",
107 transform_type_names, ENCRYPTION_ALGORITHM,
108 encryption_algorithm_names, alg, key_size);
109 goto failure;
110 }
111 key_size = aead_i->get_key_size(aead_i);
112 if (key_size != aead_r->get_key_size(aead_r))
113 {
114 goto failure;
115 }
116 if (!prf_plus->allocate_bytes(prf_plus, key_size, &key))
117 {
118 goto failure;
119 }
120 DBG4(DBG_IKE, "Sk_ei secret %B", &key);
121 if (!aead_i->set_key(aead_i, key))
122 {
123 goto failure;
124 }
125 chunk_clear(&key);
126
127 if (!prf_plus->allocate_bytes(prf_plus, key_size, &key))
128 {
129 goto failure;
130 }
131 DBG4(DBG_IKE, "Sk_er secret %B", &key);
132 if (!aead_r->set_key(aead_r, key))
133 {
134 goto failure;
135 }
136
137 if (this->initiator)
138 {
139 this->aead_in = aead_r;
140 this->aead_out = aead_i;
141 }
142 else
143 {
144 this->aead_in = aead_i;
145 this->aead_out = aead_r;
146 }
147 aead_i = aead_r = NULL;
148
149 failure:
150 DESTROY_IF(aead_i);
151 DESTROY_IF(aead_r);
152 chunk_clear(&key);
153 return this->aead_in && this->aead_out;
154 }
155
156 /**
157 * Derive IKE keys for traditional encryption and MAC algorithms
158 */
159 static bool derive_ike_traditional(private_keymat_v2_t *this, u_int16_t enc_alg,
160 u_int16_t enc_size, u_int16_t int_alg, prf_plus_t *prf_plus)
161 {
162 crypter_t *crypter_i = NULL, *crypter_r = NULL;
163 signer_t *signer_i, *signer_r;
164 size_t key_size;
165 chunk_t key = chunk_empty;
166
167 signer_i = lib->crypto->create_signer(lib->crypto, int_alg);
168 signer_r = lib->crypto->create_signer(lib->crypto, int_alg);
169 crypter_i = lib->crypto->create_crypter(lib->crypto, enc_alg, enc_size / 8);
170 crypter_r = lib->crypto->create_crypter(lib->crypto, enc_alg, enc_size / 8);
171 if (signer_i == NULL || signer_r == NULL)
172 {
173 DBG1(DBG_IKE, "%N %N not supported!",
174 transform_type_names, INTEGRITY_ALGORITHM,
175 integrity_algorithm_names, int_alg);
176 goto failure;
177 }
178 if (crypter_i == NULL || crypter_r == NULL)
179 {
180 DBG1(DBG_IKE, "%N %N (key size %d) not supported!",
181 transform_type_names, ENCRYPTION_ALGORITHM,
182 encryption_algorithm_names, enc_alg, enc_size);
183 goto failure;
184 }
185
186 /* SK_ai/SK_ar used for integrity protection */
187 key_size = signer_i->get_key_size(signer_i);
188
189 if (!prf_plus->allocate_bytes(prf_plus, key_size, &key))
190 {
191 goto failure;
192 }
193 DBG4(DBG_IKE, "Sk_ai secret %B", &key);
194 if (!signer_i->set_key(signer_i, key))
195 {
196 goto failure;
197 }
198 chunk_clear(&key);
199
200 if (!prf_plus->allocate_bytes(prf_plus, key_size, &key))
201 {
202 goto failure;
203 }
204 DBG4(DBG_IKE, "Sk_ar secret %B", &key);
205 if (!signer_r->set_key(signer_r, key))
206 {
207 goto failure;
208 }
209 chunk_clear(&key);
210
211 /* SK_ei/SK_er used for encryption */
212 key_size = crypter_i->get_key_size(crypter_i);
213
214 if (!prf_plus->allocate_bytes(prf_plus, key_size, &key))
215 {
216 goto failure;
217 }
218 DBG4(DBG_IKE, "Sk_ei secret %B", &key);
219 if (!crypter_i->set_key(crypter_i, key))
220 {
221 goto failure;
222 }
223 chunk_clear(&key);
224
225 if (!prf_plus->allocate_bytes(prf_plus, key_size, &key))
226 {
227 goto failure;
228 }
229 DBG4(DBG_IKE, "Sk_er secret %B", &key);
230 if (!crypter_r->set_key(crypter_r, key))
231 {
232 goto failure;
233 }
234
235 if (this->initiator)
236 {
237 this->aead_in = aead_create(crypter_r, signer_r);
238 this->aead_out = aead_create(crypter_i, signer_i);
239 }
240 else
241 {
242 this->aead_in = aead_create(crypter_i, signer_i);
243 this->aead_out = aead_create(crypter_r, signer_r);
244 }
245 signer_i = signer_r = NULL;
246 crypter_i = crypter_r = NULL;
247
248 failure:
249 chunk_clear(&key);
250 DESTROY_IF(signer_i);
251 DESTROY_IF(signer_r);
252 DESTROY_IF(crypter_i);
253 DESTROY_IF(crypter_r);
254 return this->aead_in && this->aead_out;
255 }
256
257 METHOD(keymat_v2_t, derive_ike_keys, bool,
258 private_keymat_v2_t *this, proposal_t *proposal, diffie_hellman_t *dh,
259 chunk_t nonce_i, chunk_t nonce_r, ike_sa_id_t *id,
260 pseudo_random_function_t rekey_function, chunk_t rekey_skd)
261 {
262 chunk_t skeyseed, key, secret, full_nonce, fixed_nonce, prf_plus_seed;
263 chunk_t spi_i, spi_r;
264 prf_plus_t *prf_plus = NULL;
265 u_int16_t alg, key_size, int_alg;
266 prf_t *rekey_prf = NULL;
267
268 spi_i = chunk_alloca(sizeof(u_int64_t));
269 spi_r = chunk_alloca(sizeof(u_int64_t));
270
271 if (dh->get_shared_secret(dh, &secret) != SUCCESS)
272 {
273 return FALSE;
274 }
275
276 /* Create SAs general purpose PRF first, we may use it here */
277 if (!proposal->get_algorithm(proposal, PSEUDO_RANDOM_FUNCTION, &alg, NULL))
278 {
279 DBG1(DBG_IKE, "no %N selected",
280 transform_type_names, PSEUDO_RANDOM_FUNCTION);
281 chunk_clear(&secret);
282 return FALSE;
283 }
284 this->prf_alg = alg;
285 this->prf = lib->crypto->create_prf(lib->crypto, alg);
286 if (this->prf == NULL)
287 {
288 DBG1(DBG_IKE, "%N %N not supported!",
289 transform_type_names, PSEUDO_RANDOM_FUNCTION,
290 pseudo_random_function_names, alg);
291 chunk_clear(&secret);
292 return FALSE;
293 }
294 DBG4(DBG_IKE, "shared Diffie Hellman secret %B", &secret);
295 /* full nonce is used as seed for PRF+ ... */
296 full_nonce = chunk_cat("cc", nonce_i, nonce_r);
297 /* but the PRF may need a fixed key which only uses the first bytes of
298 * the nonces. */
299 switch (alg)
300 {
301 case PRF_AES128_XCBC:
302 /* while rfc4434 defines variable keys for AES-XCBC, rfc3664 does
303 * not and therefore fixed key semantics apply to XCBC for key
304 * derivation. */
305 case PRF_CAMELLIA128_XCBC:
306 /* draft-kanno-ipsecme-camellia-xcbc refers to rfc 4434, we
307 * assume fixed key length. */
308 key_size = this->prf->get_key_size(this->prf)/2;
309 nonce_i.len = min(nonce_i.len, key_size);
310 nonce_r.len = min(nonce_r.len, key_size);
311 break;
312 default:
313 /* all other algorithms use variable key length, full nonce */
314 break;
315 }
316 fixed_nonce = chunk_cat("cc", nonce_i, nonce_r);
317 *((u_int64_t*)spi_i.ptr) = id->get_initiator_spi(id);
318 *((u_int64_t*)spi_r.ptr) = id->get_responder_spi(id);
319 prf_plus_seed = chunk_cat("ccc", full_nonce, spi_i, spi_r);
320
321 /* KEYMAT = prf+ (SKEYSEED, Ni | Nr | SPIi | SPIr)
322 *
323 * if we are rekeying, SKEYSEED is built on another way
324 */
325 if (rekey_function == PRF_UNDEFINED) /* not rekeying */
326 {
327 /* SKEYSEED = prf(Ni | Nr, g^ir) */
328 if (this->prf->set_key(this->prf, fixed_nonce) &&
329 this->prf->allocate_bytes(this->prf, secret, &skeyseed) &&
330 this->prf->set_key(this->prf, skeyseed))
331 {
332 prf_plus = prf_plus_create(this->prf, TRUE, prf_plus_seed);
333 }
334 }
335 else
336 {
337 /* SKEYSEED = prf(SK_d (old), [g^ir (new)] | Ni | Nr)
338 * use OLD SAs PRF functions for both prf_plus and prf */
339 rekey_prf = lib->crypto->create_prf(lib->crypto, rekey_function);
340 if (!rekey_prf)
341 {
342 DBG1(DBG_IKE, "PRF of old SA %N not supported!",
343 pseudo_random_function_names, rekey_function);
344 chunk_clear(&secret);
345 chunk_free(&full_nonce);
346 chunk_free(&fixed_nonce);
347 chunk_clear(&prf_plus_seed);
348 return FALSE;
349 }
350 secret = chunk_cat("mc", secret, full_nonce);
351 if (rekey_prf->set_key(rekey_prf, rekey_skd) &&
352 rekey_prf->allocate_bytes(rekey_prf, secret, &skeyseed) &&
353 rekey_prf->set_key(rekey_prf, skeyseed))
354 {
355 prf_plus = prf_plus_create(rekey_prf, TRUE, prf_plus_seed);
356 }
357 }
358 DBG4(DBG_IKE, "SKEYSEED %B", &skeyseed);
359
360 chunk_clear(&skeyseed);
361 chunk_clear(&secret);
362 chunk_free(&full_nonce);
363 chunk_free(&fixed_nonce);
364 chunk_clear(&prf_plus_seed);
365
366 if (!prf_plus)
367 {
368 goto failure;
369 }
370
371 /* KEYMAT = SK_d | SK_ai | SK_ar | SK_ei | SK_er | SK_pi | SK_pr */
372
373 /* SK_d is used for generating CHILD_SA key mat => store for later use */
374 key_size = this->prf->get_key_size(this->prf);
375 if (!prf_plus->allocate_bytes(prf_plus, key_size, &this->skd))
376 {
377 goto failure;
378 }
379 DBG4(DBG_IKE, "Sk_d secret %B", &this->skd);
380
381 if (!proposal->get_algorithm(proposal, ENCRYPTION_ALGORITHM, &alg, &key_size))
382 {
383 DBG1(DBG_IKE, "no %N selected",
384 transform_type_names, ENCRYPTION_ALGORITHM);
385 goto failure;
386 }
387
388 if (encryption_algorithm_is_aead(alg))
389 {
390 if (!derive_ike_aead(this, alg, key_size, prf_plus))
391 {
392 goto failure;
393 }
394 }
395 else
396 {
397 if (!proposal->get_algorithm(proposal, INTEGRITY_ALGORITHM,
398 &int_alg, NULL))
399 {
400 DBG1(DBG_IKE, "no %N selected",
401 transform_type_names, INTEGRITY_ALGORITHM);
402 goto failure;
403 }
404 if (!derive_ike_traditional(this, alg, key_size, int_alg, prf_plus))
405 {
406 goto failure;
407 }
408 }
409
410 /* SK_pi/SK_pr used for authentication => stored for later */
411 key_size = this->prf->get_key_size(this->prf);
412 if (!prf_plus->allocate_bytes(prf_plus, key_size, &key))
413 {
414 goto failure;
415 }
416 DBG4(DBG_IKE, "Sk_pi secret %B", &key);
417 if (this->initiator)
418 {
419 this->skp_build = key;
420 }
421 else
422 {
423 this->skp_verify = key;
424 }
425 if (!prf_plus->allocate_bytes(prf_plus, key_size, &key))
426 {
427 goto failure;
428 }
429 DBG4(DBG_IKE, "Sk_pr secret %B", &key);
430 if (this->initiator)
431 {
432 this->skp_verify = key;
433 }
434 else
435 {
436 this->skp_build = key;
437 }
438
439 /* all done, prf_plus not needed anymore */
440 failure:
441 DESTROY_IF(prf_plus);
442 DESTROY_IF(rekey_prf);
443
444 return this->skp_build.len && this->skp_verify.len;
445 }
446
447 METHOD(keymat_v2_t, derive_child_keys, bool,
448 private_keymat_v2_t *this, proposal_t *proposal, diffie_hellman_t *dh,
449 chunk_t nonce_i, chunk_t nonce_r, chunk_t *encr_i, chunk_t *integ_i,
450 chunk_t *encr_r, chunk_t *integ_r)
451 {
452 u_int16_t enc_alg, int_alg, enc_size = 0, int_size = 0;
453 chunk_t seed, secret = chunk_empty;
454 prf_plus_t *prf_plus;
455
456 if (dh)
457 {
458 if (dh->get_shared_secret(dh, &secret) != SUCCESS)
459 {
460 return FALSE;
461 }
462 DBG4(DBG_CHD, "DH secret %B", &secret);
463 }
464 seed = chunk_cata("mcc", secret, nonce_i, nonce_r);
465 DBG4(DBG_CHD, "seed %B", &seed);
466
467 if (proposal->get_algorithm(proposal, ENCRYPTION_ALGORITHM,
468 &enc_alg, &enc_size))
469 {
470 DBG2(DBG_CHD, " using %N for encryption",
471 encryption_algorithm_names, enc_alg);
472
473 if (!enc_size)
474 {
475 enc_size = keymat_get_keylen_encr(enc_alg);
476 }
477 if (enc_alg != ENCR_NULL && !enc_size)
478 {
479 DBG1(DBG_CHD, "no keylength defined for %N",
480 encryption_algorithm_names, enc_alg);
481 return FALSE;
482 }
483 /* to bytes */
484 enc_size /= 8;
485
486 /* CCM/GCM/CTR/GMAC needs additional bytes */
487 switch (enc_alg)
488 {
489 case ENCR_AES_CCM_ICV8:
490 case ENCR_AES_CCM_ICV12:
491 case ENCR_AES_CCM_ICV16:
492 case ENCR_CAMELLIA_CCM_ICV8:
493 case ENCR_CAMELLIA_CCM_ICV12:
494 case ENCR_CAMELLIA_CCM_ICV16:
495 enc_size += 3;
496 break;
497 case ENCR_AES_GCM_ICV8:
498 case ENCR_AES_GCM_ICV12:
499 case ENCR_AES_GCM_ICV16:
500 case ENCR_AES_CTR:
501 case ENCR_NULL_AUTH_AES_GMAC:
502 enc_size += 4;
503 break;
504 default:
505 break;
506 }
507 }
508
509 if (proposal->get_algorithm(proposal, INTEGRITY_ALGORITHM,
510 &int_alg, &int_size))
511 {
512 DBG2(DBG_CHD, " using %N for integrity",
513 integrity_algorithm_names, int_alg);
514
515 if (!int_size)
516 {
517 int_size = keymat_get_keylen_integ(int_alg);
518 }
519 if (!int_size)
520 {
521 DBG1(DBG_CHD, "no keylength defined for %N",
522 integrity_algorithm_names, int_alg);
523 return FALSE;
524 }
525 /* to bytes */
526 int_size /= 8;
527 }
528
529 if (!this->prf->set_key(this->prf, this->skd))
530 {
531 return FALSE;
532 }
533 prf_plus = prf_plus_create(this->prf, TRUE, seed);
534 if (!prf_plus)
535 {
536 return FALSE;
537 }
538
539 *encr_i = *integ_i = *encr_r = *integ_r = chunk_empty;
540 if (!prf_plus->allocate_bytes(prf_plus, enc_size, encr_i) ||
541 !prf_plus->allocate_bytes(prf_plus, int_size, integ_i) ||
542 !prf_plus->allocate_bytes(prf_plus, enc_size, encr_r) ||
543 !prf_plus->allocate_bytes(prf_plus, int_size, integ_r))
544 {
545 chunk_free(encr_i);
546 chunk_free(integ_i);
547 chunk_free(encr_r);
548 chunk_free(integ_r);
549 prf_plus->destroy(prf_plus);
550 return FALSE;
551 }
552
553 prf_plus->destroy(prf_plus);
554
555 if (enc_size)
556 {
557 DBG4(DBG_CHD, "encryption initiator key %B", encr_i);
558 DBG4(DBG_CHD, "encryption responder key %B", encr_r);
559 }
560 if (int_size)
561 {
562 DBG4(DBG_CHD, "integrity initiator key %B", integ_i);
563 DBG4(DBG_CHD, "integrity responder key %B", integ_r);
564 }
565 return TRUE;
566 }
567
568 METHOD(keymat_v2_t, get_skd, pseudo_random_function_t,
569 private_keymat_v2_t *this, chunk_t *skd)
570 {
571 *skd = this->skd;
572 return this->prf_alg;
573 }
574
575 METHOD(keymat_t, get_aead, aead_t*,
576 private_keymat_v2_t *this, bool in)
577 {
578 return in ? this->aead_in : this->aead_out;
579 }
580
581 METHOD(keymat_v2_t, get_auth_octets, bool,
582 private_keymat_v2_t *this, bool verify, chunk_t ike_sa_init,
583 chunk_t nonce, identification_t *id, char reserved[3], chunk_t *octets)
584 {
585 chunk_t chunk, idx;
586 chunk_t skp;
587
588 skp = verify ? this->skp_verify : this->skp_build;
589
590 chunk = chunk_alloca(4);
591 chunk.ptr[0] = id->get_type(id);
592 memcpy(chunk.ptr + 1, reserved, 3);
593 idx = chunk_cata("cc", chunk, id->get_encoding(id));
594
595 DBG3(DBG_IKE, "IDx' %B", &idx);
596 DBG4(DBG_IKE, "SK_p %B", &skp);
597 if (!this->prf->set_key(this->prf, skp) ||
598 !this->prf->allocate_bytes(this->prf, idx, &chunk))
599 {
600 return FALSE;
601 }
602 *octets = chunk_cat("ccm", ike_sa_init, nonce, chunk);
603 DBG3(DBG_IKE, "octets = message + nonce + prf(Sk_px, IDx') %B", octets);
604 return TRUE;
605 }
606
607 /**
608 * Key pad for the AUTH method SHARED_KEY_MESSAGE_INTEGRITY_CODE.
609 */
610 #define IKEV2_KEY_PAD "Key Pad for IKEv2"
611 #define IKEV2_KEY_PAD_LENGTH 17
612
613 METHOD(keymat_v2_t, get_psk_sig, bool,
614 private_keymat_v2_t *this, bool verify, chunk_t ike_sa_init, chunk_t nonce,
615 chunk_t secret, identification_t *id, char reserved[3], chunk_t *sig)
616 {
617 chunk_t key_pad, key, octets;
618
619 if (!secret.len)
620 { /* EAP uses SK_p if no MSK has been established */
621 secret = verify ? this->skp_verify : this->skp_build;
622 }
623 if (!get_auth_octets(this, verify, ike_sa_init, nonce, id, reserved, &octets))
624 {
625 return FALSE;
626 }
627 /* AUTH = prf(prf(Shared Secret,"Key Pad for IKEv2"), <msg octets>) */
628 key_pad = chunk_create(IKEV2_KEY_PAD, IKEV2_KEY_PAD_LENGTH);
629 if (!this->prf->set_key(this->prf, secret) ||
630 !this->prf->allocate_bytes(this->prf, key_pad, &key))
631 {
632 chunk_free(&octets);
633 return FALSE;
634 }
635 if (!this->prf->set_key(this->prf, key) ||
636 !this->prf->allocate_bytes(this->prf, octets, sig))
637 {
638 chunk_free(&key);
639 chunk_free(&octets);
640 return FALSE;
641 }
642 DBG4(DBG_IKE, "secret %B", &secret);
643 DBG4(DBG_IKE, "prf(secret, keypad) %B", &key);
644 DBG3(DBG_IKE, "AUTH = prf(prf(secret, keypad), octets) %B", sig);
645 chunk_free(&octets);
646 chunk_free(&key);
647
648 return TRUE;
649 }
650
651 METHOD(keymat_t, destroy, void,
652 private_keymat_v2_t *this)
653 {
654 DESTROY_IF(this->aead_in);
655 DESTROY_IF(this->aead_out);
656 DESTROY_IF(this->prf);
657 chunk_clear(&this->skd);
658 chunk_clear(&this->skp_verify);
659 chunk_clear(&this->skp_build);
660 free(this);
661 }
662
663 /**
664 * See header
665 */
666 keymat_v2_t *keymat_v2_create(bool initiator)
667 {
668 private_keymat_v2_t *this;
669
670 INIT(this,
671 .public = {
672 .keymat = {
673 .get_version = _get_version,
674 .create_dh = _create_dh,
675 .create_nonce_gen = _create_nonce_gen,
676 .get_aead = _get_aead,
677 .destroy = _destroy,
678 },
679 .derive_ike_keys = _derive_ike_keys,
680 .derive_child_keys = _derive_child_keys,
681 .get_skd = _get_skd,
682 .get_auth_octets = _get_auth_octets,
683 .get_psk_sig = _get_psk_sig,
684 },
685 .initiator = initiator,
686 .prf_alg = PRF_UNDEFINED,
687 );
688
689 return &this->public;
690 }
Michael's strongswan development tree