LDFLAGS= -lgmp -lpthread
-CFLAGS+= -Wall \
- -DLEAK_DETECTIVE \
- -I. \
- -g #-Werror
+CFLAGS+= -Wall -I. -g -DLEAK_DETECTIVE
# objects is extended by each included Makefile
OBJS=
#include <utils/allocator.h>
+#include <daemon.h>
+
typedef struct private_child_sa_t private_child_sa_t;
child_sa_t public;
/**
- * Type of this child sa, ESP or AH.
+ * CHILD_SAs own logger
*/
- protocol_id_t sa_type;
+ logger_t *logger;
+
+ /**
+ * Protocols used in this SA
+ */
+ protocol_id_t protocols[2];
};
*/
static void destroy(private_child_sa_t *this)
{
+ charon->logger_manager->destroy_logger(charon->logger_manager, this->logger);
allocator_free(this);
}
/*
* Described in header.
*/
-child_sa_t * child_sa_create(protocol_id_t sa_type, prf_plus_t *prf_plus)
+child_sa_t * child_sa_create(child_proposal_t *proposal, prf_plus_t *prf_plus)
{
private_child_sa_t *this = allocator_alloc_thing(private_child_sa_t);
+ u_int i;
/* public functions */
this->public.get_spi = (u_int32_t(*)(child_sa_t*))get_spi;
this->public.destroy = (void(*)(child_sa_t*))destroy;
/* private data */
- this->sa_type = sa_type;
+ this->logger = charon->logger_manager->create_logger(charon->logger_manager, CHILD_SA, NULL);
+ proposal->get_protocols(proposal, this->protocols);
+
+ /* derive keys */
+ for (i = 0; i<2; i++)
+ {
+ if (this->protocols[i] != UNDEFINED_PROTOCOL_ID)
+ {
+ algorithm_t *algo;
+ chunk_t key;
+
+ /* get encryption key */
+ if (proposal->get_algorithm(proposal, this->protocols[i], ENCRYPTION_ALGORITHM, &algo))
+ {
+ this->logger->log(this->logger, CONTROL|LEVEL1, "%s: using %s %s, ",
+ mapping_find(protocol_id_m, this->protocols[i]),
+ mapping_find(transform_type_m, ENCRYPTION_ALGORITHM),
+ mapping_find(encryption_algorithm_m, algo->algorithm));
+
+ prf_plus->allocate_bytes(prf_plus, algo->key_size, &key);
+ this->logger->log_chunk(this->logger, PRIVATE, "key:", &key);
+ allocator_free_chunk(&key);
+ }
+
+ /* get integrity key */
+ if (proposal->get_algorithm(proposal, this->protocols[i], INTEGRITY_ALGORITHM, &algo))
+ {
+ this->logger->log(this->logger, CONTROL|LEVEL1, "%s: using %s %s,",
+ mapping_find(protocol_id_m, this->protocols[i]),
+ mapping_find(transform_type_m, INTEGRITY_ALGORITHM),
+ mapping_find(integrity_algorithm_m, algo->algorithm));
+
+ prf_plus->allocate_bytes(prf_plus, algo->key_size, &key);
+ this->logger->log_chunk(this->logger, PRIVATE, "key:", &key);
+ allocator_free_chunk(&key);
+ }
+ }
+ }
return (&this->public);
}
/**
* @brief Represents a CHILD_SA between to hosts.
*
- * An IKE_SA must already be established.
*
* @b Constructors:
* - child_sa_create
* @return child_sa_t object
* @ingroup sa
*/
-child_sa_t * child_sa_create(protocol_id_t protocol_id, prf_plus_t *prf_plus);
-
-/**
- * @brief Constructor to create a new CHILD_SA.
- *
- * @param protocol_id protocol id (AH or ESP) of CHILD_SA
- * @param prf_plus prf_plus_t object use to derive shared secrets
- * @return child_sa_t object
- * @ingroup sa
- */
-child_sa_t * child_sa_create_with_spi(protocol_id_t protocol_id, prf_plus_t *prf_plus);
+child_sa_t * child_sa_create(child_proposal_t *proposal, prf_plus_t *prf_plus);
#endif /*_CHILD_SA_H_*/
#include <transforms/crypters/crypter.h>
#include <sa/states/ike_sa_established.h>
#include <sa/authenticator.h>
+#include <sa/child_sa.h>
typedef struct private_ike_auth_requested_t private_ike_auth_requested_t;
{
child_proposal_t *proposal, *proposal_tmp;
linked_list_t *proposal_list;
- protocol_id_t proto;
+ child_sa_t *child_sa;
+ chunk_t seed;
+ prf_plus_t *prf_plus;
/* get his selected proposal */
proposal_list = sa_payload->get_child_proposals(sa_payload);
this->logger->log(this->logger, AUDIT, "IKE_AUTH reply contained a not offered proposal. Deleting IKE_SA");
return DELETE_ME;
}
- this->logger->log(this->logger, CONTROL|LEVEL1, "selected proposals:");
- for (proto = AH; proto <= ESP; proto++)
- {
- transform_type_t types[] = {ENCRYPTION_ALGORITHM, INTEGRITY_ALGORITHM, DIFFIE_HELLMAN_GROUP, EXTENDED_SEQUENCE_NUMBERS};
- mapping_t *mappings[] = {encryption_algorithm_m, integrity_algorithm_m, diffie_hellman_group_m, extended_sequence_numbers_m};
- algorithm_t *algo;
- int i;
- for (i = 0; i<sizeof(types)/sizeof(transform_type_t); i++)
- {
- if (proposal->get_algorithm(proposal, proto, types[i], &algo))
- {
- this->logger->log(this->logger, CONTROL|LEVEL1, "%s: using %s %s (keysize: %d)",
- mapping_find(protocol_id_m, proto),
- mapping_find(transform_type_m, types[i]),
- mapping_find(mappings[i], algo->algorithm),
- algo->key_size);
- }
- }
- }
+
+ /* install child SAs for AH and esp */
+ seed = allocator_alloc_as_chunk(this->sent_nonce.len + this->received_nonce.len);
+ memcpy(seed.ptr, this->sent_nonce.ptr, this->sent_nonce.len);
+ memcpy(seed.ptr + this->sent_nonce.len, this->received_nonce.ptr, this->received_nonce.len);
+ prf_plus = prf_plus_create(this->ike_sa->get_child_prf(this->ike_sa), seed);
+ allocator_free_chunk(&seed);
+
+ child_sa = child_sa_create(proposal, prf_plus);
+ prf_plus->destroy(prf_plus);
+ child_sa->destroy(child_sa);
- /* TODO: Proposal? child_sa */
proposal->destroy(proposal);
return SUCCESS;
#include <daemon.h>
#include <utils/allocator.h>
#include <sa/authenticator.h>
+#include <sa/child_sa.h>
#include <encoding/payloads/ts_payload.h>
#include <encoding/payloads/sa_payload.h>
#include <encoding/payloads/id_payload.h>
child_proposal_t *proposal, *proposal_tmp;
linked_list_t *proposal_list;
sa_payload_t *sa_response;
- protocol_id_t proto;
+ child_sa_t *child_sa;
+ prf_plus_t *prf_plus;
+ chunk_t seed;
/* TODO: child sa stuff */
this->ike_sa->send_notify(this->ike_sa, IKE_AUTH, NO_PROPOSAL_CHOSEN, CHUNK_INITIALIZER);
return DELETE_ME;
}
- for (proto = AH; proto <= ESP; proto++)
- {
- transform_type_t types[] = {ENCRYPTION_ALGORITHM, INTEGRITY_ALGORITHM, DIFFIE_HELLMAN_GROUP, EXTENDED_SEQUENCE_NUMBERS};
- mapping_t *mappings[] = {encryption_algorithm_m, integrity_algorithm_m, diffie_hellman_group_m, extended_sequence_numbers_m};
- algorithm_t *algo;
- int i;
- for (i = 0; i<sizeof(types)/sizeof(transform_type_t); i++)
- {
- if (proposal->get_algorithm(proposal, proto, types[i], &algo))
- {
- this->logger->log(this->logger, CONTROL|LEVEL1, "%s: using %s %s (keysize: %d)",
- mapping_find(protocol_id_m, proto),
- mapping_find(transform_type_m, types[i]),
- mapping_find(mappings[i], algo->algorithm),
- algo->key_size);
- }
- }
- }
/* create payload with selected propsal */
sa_response = sa_payload_create_from_child_proposal(proposal);
response->add_payload(response, (payload_t*)sa_response);
- proposal->destroy(proposal);
/* install child SAs for AH and esp */
-// algorithm_t *encr, *integ;
-// char enc_key_buffer[] = "123";
-// chunk_t enc_key = {ptr: enc_key_buffer, len: 4};
-// char int_key_buffer[] = "345";
-// chunk_t int_key = {ptr: int_key_buffer, len: 4};
-// proposal->get_algorithm(proposal, ESP, ENCRYPTION_ALGORITHM, &encr);
-// proposal->get_algorithm(proposal, ESP, INTEGRITY_ALGORITHM, &integ);
-//
-// charon->kernel_interface->add_sa(charon->kernel_interface,
-// this->ike_sa->get_my_host(this->ike_sa),
-// this->ike_sa->get_other_host(this->ike_sa),
-// proposal->get_spi(proposal, AH),
-// AH,
-// TRUE,
-// encr->algorithm, encr->key_size, enc_key,
-// integ->algorithm, integ->key_size, int_key,
-// TRUE);
-//
-// POS;
+ seed = allocator_alloc_as_chunk(this->received_nonce.len + this->sent_nonce.len);
+ memcpy(seed.ptr, this->received_nonce.ptr, this->received_nonce.len);
+ memcpy(seed.ptr + this->received_nonce.len, this->sent_nonce.ptr, this->sent_nonce.len);
+ prf_plus = prf_plus_create(this->ike_sa->get_child_prf(this->ike_sa), seed);
+ allocator_free_chunk(&seed);
+
+ child_sa = child_sa_create(proposal, prf_plus);
+ prf_plus->destroy(prf_plus);
+ child_sa->destroy(child_sa);
+ proposal->destroy(proposal);
return SUCCESS;
}
static void log_bytes(private_logger_t *this, logger_level_t loglevel, char *label, char *bytes, size_t len)
{
static pthread_mutex_t mutex = PTHREAD_MUTEX_INITIALIZER;
-
- /* since me can't do multi-line output to syslog,
- * we must do multiple syslogs. To avoid
- * problems in output order, lock this by a mutex.
- */
- pthread_mutex_lock(&mutex);
+
if ((this->level & loglevel) == loglevel)
{
char *buffer_pos;
char *bytes_pos, *bytes_roof;
int i;
+ int line_start = 0;
+
+ /* since me can't do multi-line output to syslog,
+ * we must do multiple syslogs. To avoid
+ * problems in output order, lock this by a mutex.
+ */
+ pthread_mutex_lock(&mutex);
format = "%s (%d bytes)";
buffer_pos = buffer;
if (this->output == NULL)
{
- syslog(LOG_INFO, "| %s", buffer);
+ syslog(LOG_INFO, "[=>] [%5d ] %s", line_start, buffer);
}
else
{
- fprintf(this->output, "| %s\n", buffer);
+ fprintf(this->output, "[=>] [%5d ] %s\n", line_start, buffer);
}
+ line_start += 16;
}
else if ((i % 8) == 0)
{
buffer_pos = buffer;
if (this->output == NULL)
{
- syslog(LOG_INFO, "| %s", buffer);
+ syslog(LOG_INFO, "[=>] [%5d ] %s", line_start, buffer);
}
else
{
- fprintf(this->output, "| %s\n", buffer);
+ fprintf(this->output, "[=>] [%5d ] %s\n", line_start, buffer);
}
}
+ pthread_mutex_unlock(&mutex);
}
- pthread_mutex_unlock(&mutex);
}
/**
{GENERATOR, "GENRAT"},
{IKE_SA, "IKE_SA"},
{IKE_SA_MANAGER, "ISAMGR"},
+ {CHILD_SA, "CHLDSA"},
{MESSAGE, "MESSAG"},
{THREAD_POOL, "THPOOL"},
{WORKER, "WORKER"},
{DAEMON, "DAEMON"},
{CONFIGURATION_MANAGER, "CONFIG"},
{ENCRYPTION_PAYLOAD, "ENCPLD"},
- {PRIME_POOL, "PRIMEP"},
{MAPPING_END, NULL},
};
logger_level |= LEVEL1;
log_thread_ids = TRUE;
break;
+ case CHILD_SA:
+ logger_level |= LEVEL1|PRIVATE;
+ log_thread_ids = TRUE;
+ break;
case CONFIGURATION_MANAGER:
log_thread_ids = TRUE;
break;
break;
case THREAD_POOL:
break;
- case PRIME_POOL:
- break;
case SCHEDULER:
logger_level = 0;
break;
GENERATOR,
IKE_SA,
IKE_SA_MANAGER,
+ CHILD_SA,
MESSAGE,
THREAD_POOL,
WORKER,
DAEMON,
CONFIGURATION_MANAGER,
ENCRYPTION_PAYLOAD,
- PRIME_POOL,
};