From: Reto Buerki <reet@codelabs.ch>
Date: Tue, 21 Aug 2012 10:17:05 +0000 (+0200)
Subject: Add skeleton for TKM keymat variant
X-Git-Tag: 5.0.3rc1~39^2~92
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=5b3bcdfadaa6c305d09af459c7e568b9b6854bef;p=thirdparty%2Fstrongswan.git

Add skeleton for TKM keymat variant
---

diff --git a/src/charon-tkm/src/charon-tkm.c b/src/charon-tkm/src/charon-tkm.c
index bf8745aecf..e102b4e0d7 100644
--- a/src/charon-tkm/src/charon-tkm.c
+++ b/src/charon-tkm/src/charon-tkm.c
@@ -31,10 +31,12 @@
 #include <library.h>
 #include <utils/backtrace.h>
 #include <threading/thread.h>
+#include <sa/keymat.h>
 
 #include "tkm.h"
 #include "tkm_nonceg.h"
 #include "tkm_diffie_hellman.h"
+#include "tkm_keymat.h"
 
 /**
  * PID file, in which charon-tkm stores its process id
@@ -280,6 +282,9 @@ int main(int argc, char *argv[])
 	lib->plugins->add_static_features(lib->plugins, "tkm-backend", features,
 			countof(features), TRUE);
 
+	/* register TKM keymat variant */
+	keymat_register_constructor(IKEV2, (keymat_constructor_t)tkm_keymat_create);
+
 	/* initialize daemon */
 	if (!charon->initialize(charon, PLUGINS))
 	{
diff --git a/src/charon-tkm/src/tkm/tkm_keymat.c b/src/charon-tkm/src/tkm/tkm_keymat.c
new file mode 100644
index 0000000000..cdc6800f02
--- /dev/null
+++ b/src/charon-tkm/src/tkm/tkm_keymat.c
@@ -0,0 +1,132 @@
+/*
+ * Copyrigth (C) 2012 Reto Buerki
+ * Copyright (C) 2012 Adrian-Ken Rueegsegger
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <daemon.h>
+
+#include "tkm_keymat.h"
+
+typedef struct private_tkm_keymat_t private_tkm_keymat_t;
+
+/**
+ * Private data of a keymat_t object.
+ */
+struct private_tkm_keymat_t {
+
+	/**
+	 * Public tkm_keymat_t interface.
+	 */
+	tkm_keymat_t public;
+
+};
+
+METHOD(keymat_t, get_version, ike_version_t,
+	private_tkm_keymat_t *this)
+{
+	return IKEV2;
+}
+
+METHOD(keymat_t, create_dh, diffie_hellman_t*,
+	private_tkm_keymat_t *this, diffie_hellman_group_t group)
+{
+	return lib->crypto->create_dh(lib->crypto, group);
+}
+
+METHOD(keymat_t, create_nonce_gen, nonce_gen_t*,
+	private_tkm_keymat_t *this)
+{
+	return lib->crypto->create_nonce_gen(lib->crypto);
+}
+
+METHOD(tkm_keymat_t, derive_ike_keys, bool,
+	private_tkm_keymat_t *this, proposal_t *proposal, diffie_hellman_t *dh,
+	chunk_t nonce_i, chunk_t nonce_r, ike_sa_id_t *id,
+	pseudo_random_function_t rekey_function, chunk_t rekey_skd)
+{
+	DBG1(DBG_IKE, "deriving IKE keys");
+	return FALSE;
+}
+
+METHOD(tkm_keymat_t, derive_child_keys, bool,
+	private_tkm_keymat_t *this, proposal_t *proposal, diffie_hellman_t *dh,
+	chunk_t nonce_i, chunk_t nonce_r, chunk_t *encr_i, chunk_t *integ_i,
+	chunk_t *encr_r, chunk_t *integ_r)
+{
+	DBG1(DBG_CHD, "deriving child keys");
+	return FALSE;
+}
+
+METHOD(keymat_t, get_aead, aead_t*,
+	private_tkm_keymat_t *this, bool in)
+{
+	DBG1(DBG_IKE, "get_aead called");
+	return NULL;
+}
+
+METHOD(tkm_keymat_t, get_auth_octets, bool,
+	private_tkm_keymat_t *this, bool verify, chunk_t ike_sa_init,
+	chunk_t nonce, identification_t *id, char reserved[3], chunk_t *octets)
+{
+	DBG1(DBG_IKE, "returning auth octets");
+	return FALSE;
+}
+
+METHOD(tkm_keymat_t, get_skd, pseudo_random_function_t,
+	private_tkm_keymat_t *this, chunk_t *skd)
+{
+	DBG1(DBG_IKE, "returning skd");
+	return PRF_UNDEFINED;
+}
+
+METHOD(tkm_keymat_t, get_psk_sig, bool,
+	private_tkm_keymat_t *this, bool verify, chunk_t ike_sa_init, chunk_t nonce,
+	chunk_t secret, identification_t *id, char reserved[3], chunk_t *sig)
+{
+	DBG1(DBG_IKE, "returning PSK signature");
+	return FALSE;
+}
+
+METHOD(keymat_t, destroy, void,
+	private_tkm_keymat_t *this)
+{
+	free(this);
+}
+
+/**
+ * See header.
+ */
+tkm_keymat_t *tkm_keymat_create(bool initiator)
+{
+	private_tkm_keymat_t *this;
+
+	INIT(this,
+		.public = {
+			.keymat = {
+				.get_version = _get_version,
+				.create_dh = _create_dh,
+				.create_nonce_gen = _create_nonce_gen,
+				.get_aead = _get_aead,
+				.destroy = _destroy,
+			},
+			.derive_ike_keys = _derive_ike_keys,
+			.derive_child_keys = _derive_child_keys,
+			.get_skd = _get_skd,
+			.get_auth_octets = _get_auth_octets,
+			.get_psk_sig = _get_psk_sig,
+		},
+	);
+
+	return &this->public;
+}
diff --git a/src/charon-tkm/src/tkm/tkm_keymat.h b/src/charon-tkm/src/tkm/tkm_keymat.h
new file mode 100644
index 0000000000..2def71fb3d
--- /dev/null
+++ b/src/charon-tkm/src/tkm/tkm_keymat.h
@@ -0,0 +1,119 @@
+/*
+ * Copyright (C) 2012 Reto Buerki
+ * Copyright (C) 2012 Adrian-Ken Rueegsegger
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#ifndef TKM_KEYMAT_H_
+#define TKM_KEYMAT_H_
+
+#include <sa/keymat.h>
+
+typedef struct tkm_keymat_t tkm_keymat_t;
+
+/**
+ * Derivation and management of sensitive keying material, TKM variant.
+ */
+struct tkm_keymat_t {
+
+	/**
+	 * Implements keymat_t.
+	 */
+	keymat_t keymat;
+
+	/**
+	 * Use TKM to derive IKE key material.
+	 *
+	 * @param proposal	selected algorithms
+	 * @param dh		diffie hellman key allocated by create_dh()
+	 * @param nonce_i	initiators nonce value
+	 * @param nonce_r	responders nonce value
+	 * @param id		IKE_SA identifier
+	 * @param rekey_prf	PRF of old SA if rekeying, PRF_UNDEFINED otherwise
+	 * @param rekey_skd	SKd of old SA if rekeying
+	 * @return			TRUE on success
+	 */
+	bool (*derive_ike_keys)(tkm_keymat_t *this, proposal_t *proposal,
+							diffie_hellman_t *dh, chunk_t nonce_i,
+							chunk_t nonce_r, ike_sa_id_t *id,
+							pseudo_random_function_t rekey_function,
+							chunk_t rekey_skd);
+
+	/**
+	 * Use TKM to derive child key material.
+	 *
+	 * @param proposal	selected algorithms
+	 * @param dh		diffie hellman key allocated by create_dh(), or NULL
+	 * @param nonce_i	initiators nonce value
+	 * @param nonce_r	responders nonce value
+	 * @param encr_i	handle to initiators encryption key
+	 * @param integ_i	handle to initiators integrity key
+	 * @param encr_r	handle to responders encryption key
+	 * @param integ_r	handle to responders integrity key
+	 * @return			TRUE on success
+	 */
+	bool (*derive_child_keys)(tkm_keymat_t *this,
+							  proposal_t *proposal, diffie_hellman_t *dh,
+							  chunk_t nonce_i, chunk_t nonce_r,
+							  chunk_t *encr_i, chunk_t *integ_i,
+							  chunk_t *encr_r, chunk_t *integ_r);
+
+	/**
+	 * Use TKM to generate auth octets.
+	 *
+	 * @param verify		TRUE to create for verfification, FALSE to sign
+	 * @param ike_sa_init	encoded ike_sa_init message
+	 * @param nonce			nonce value
+	 * @param id			identity
+	 * @param reserved		reserved bytes of id_payload
+	 * @param octests		chunk receiving allocated auth octets
+	 * @return				TRUE if octets created successfully
+	 */
+	bool (*get_auth_octets)(tkm_keymat_t *this, bool verify, chunk_t ike_sa_init,
+							chunk_t nonce, identification_t *id,
+							char reserved[3], chunk_t *octets);
+
+	/**
+	 * Get SKd and PRF to derive keymat.
+	 *
+	 * @param skd	chunk to write SKd to (internal data)
+	 * @return		PRF function to derive keymat
+	 */
+	pseudo_random_function_t (*get_skd)(tkm_keymat_t *this, chunk_t *skd);
+
+	/**
+	 * Build the shared secret signature used for PSK and EAP authentication.
+	 *
+	 * @param verify		TRUE to create for verfification, FALSE to sign
+	 * @param ike_sa_init	encoded ike_sa_init message
+	 * @param nonce			nonce value
+	 * @param secret		optional secret to include into signature
+	 * @param id			identity
+	 * @param reserved		reserved bytes of id_payload
+	 * @param sign			chunk receiving allocated signature octets
+	 * @return				TRUE if signature created successfully
+	 */
+	bool (*get_psk_sig)(tkm_keymat_t *this, bool verify, chunk_t ike_sa_init,
+						chunk_t nonce, chunk_t secret,
+						identification_t *id, char reserved[3], chunk_t *sig);
+};
+
+/**
+ * Create TKM keymat instance.
+ *
+ * @param initiator			TRUE if we are the initiator
+ * @return					keymat instance
+ */
+tkm_keymat_t *tkm_keymat_create(bool initiator);
+
+#endif /** KEYMAT_TKM_H_ */