Annotation of embedaddon/strongswan/src/libcharon/sa/ikev2/keymat_v2.h, revision 1.1
1.1 ! misho 1: /*
! 2: * Copyright (C) 2011-2015 Tobias Brunner
! 3: * HSR Hochschule fuer Technik Rapperswil
! 4: *
! 5: * This program is free software; you can redistribute it and/or modify it
! 6: * under the terms of the GNU General Public License as published by the
! 7: * Free Software Foundation; either version 2 of the License, or (at your
! 8: * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
! 9: *
! 10: * This program is distributed in the hope that it will be useful, but
! 11: * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
! 12: * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
! 13: * for more details.
! 14: */
! 15:
! 16: /**
! 17: * @defgroup keymat_v2 keymat_v2
! 18: * @{ @ingroup ikev2
! 19: */
! 20:
! 21: #ifndef KEYMAT_V2_H_
! 22: #define KEYMAT_V2_H_
! 23:
! 24: #include <sa/keymat.h>
! 25: #include <collections/array.h>
! 26:
! 27: typedef struct keymat_v2_t keymat_v2_t;
! 28:
! 29: /**
! 30: * Derivation and management of sensitive keying material, IKEv2 variant.
! 31: */
! 32: struct keymat_v2_t {
! 33:
! 34: /**
! 35: * Implements keymat_t.
! 36: */
! 37: keymat_t keymat;
! 38:
! 39: /**
! 40: * Derive keys for the IKE_SA.
! 41: *
! 42: * These keys are not handed out, but are used by the associated signers,
! 43: * crypters and authentication functions.
! 44: *
! 45: * @param proposal selected algorithms
! 46: * @param dh diffie hellman key allocated by create_dh()
! 47: * @param nonce_i initiators nonce value
! 48: * @param nonce_r responders nonce value
! 49: * @param id IKE_SA identifier
! 50: * @param rekey_prf PRF of old SA if rekeying, PRF_UNDEFINED otherwise
! 51: * @param rekey_sdk SKd of old SA if rekeying
! 52: * @return TRUE on success
! 53: */
! 54: bool (*derive_ike_keys)(keymat_v2_t *this, proposal_t *proposal,
! 55: diffie_hellman_t *dh, chunk_t nonce_i,
! 56: chunk_t nonce_r, ike_sa_id_t *id,
! 57: pseudo_random_function_t rekey_function,
! 58: chunk_t rekey_skd);
! 59:
! 60: /**
! 61: * Derive SK_d, SK_pi and SK_pr after authentication using the given
! 62: * Postquantum Preshared Key and the previous values of these keys that
! 63: * were derived by derive_ike_keys().
! 64: *
! 65: * @param ppk the postquantum preshared key
! 66: * @return TRUE on success
! 67: */
! 68: bool (*derive_ike_keys_ppk)(keymat_v2_t *this, chunk_t ppk);
! 69:
! 70: /**
! 71: * Derive keys for a CHILD_SA.
! 72: *
! 73: * The keys for the CHILD_SA are allocated in the integ and encr chunks.
! 74: * An implementation might hand out encrypted keys only, which are
! 75: * decrypted in the kernel before use.
! 76: * If no PFS is used for the CHILD_SA, dh can be NULL.
! 77: *
! 78: * @param proposal selected algorithms
! 79: * @param dh diffie hellman key allocated by create_dh(), or NULL
! 80: * @param nonce_i initiators nonce value
! 81: * @param nonce_r responders nonce value
! 82: * @param encr_i chunk to write initiators encryption key to
! 83: * @param integ_i chunk to write initiators integrity key to
! 84: * @param encr_r chunk to write responders encryption key to
! 85: * @param integ_r chunk to write responders integrity key to
! 86: * @return TRUE on success
! 87: */
! 88: bool (*derive_child_keys)(keymat_v2_t *this,
! 89: proposal_t *proposal, diffie_hellman_t *dh,
! 90: chunk_t nonce_i, chunk_t nonce_r,
! 91: chunk_t *encr_i, chunk_t *integ_i,
! 92: chunk_t *encr_r, chunk_t *integ_r);
! 93: /**
! 94: * Get SKd to pass to derive_ikey_keys() during rekeying.
! 95: *
! 96: * @param skd chunk to write SKd to (internal data)
! 97: * @return PRF function to derive keymat
! 98: */
! 99: pseudo_random_function_t (*get_skd)(keymat_v2_t *this, chunk_t *skd);
! 100:
! 101: /**
! 102: * Generate octets to use for authentication procedure (RFC4306 2.15).
! 103: *
! 104: * This method creates the plain octets and is usually signed by a private
! 105: * key. PSK and EAP authentication include a secret into the data, use
! 106: * the get_psk_sig() method instead.
! 107: *
! 108: * @param verify TRUE to create for verification, FALSE to sign
! 109: * @param ike_sa_init encoded ike_sa_init message
! 110: * @param nonce nonce value
! 111: * @param ppk optional postquantum preshared key
! 112: * @param id identity
! 113: * @param reserved reserved bytes of id_payload
! 114: * @param octests chunk receiving allocated auth octets
! 115: * @param schemes array containing signature schemes
! 116: * (signature_params_t*) in case they need to be
! 117: * modified by the keymat implementation
! 118: * @return TRUE if octets created successfully
! 119: */
! 120: bool (*get_auth_octets)(keymat_v2_t *this, bool verify, chunk_t ike_sa_init,
! 121: chunk_t nonce, chunk_t ppk, identification_t *id,
! 122: char reserved[3], chunk_t *octets,
! 123: array_t *schemes);
! 124: /**
! 125: * Build the shared secret signature used for PSK and EAP authentication.
! 126: *
! 127: * This method wraps the get_auth_octets() method and additionally
! 128: * includes the secret into the signature. If no secret is given, SK_p is
! 129: * used as secret (used for EAP methods without MSK).
! 130: *
! 131: * @param verify TRUE to create for verification, FALSE to sign
! 132: * @param ike_sa_init encoded ike_sa_init message
! 133: * @param nonce nonce value
! 134: * @param secret optional secret to include into signature
! 135: * @param ppk optional postquantum preshared key
! 136: * @param id identity
! 137: * @param reserved reserved bytes of id_payload
! 138: * @param sign chunk receiving allocated signature octets
! 139: * @return TRUE if signature created successfully
! 140: */
! 141: bool (*get_psk_sig)(keymat_v2_t *this, bool verify, chunk_t ike_sa_init,
! 142: chunk_t nonce, chunk_t secret, chunk_t ppk,
! 143: identification_t *id, char reserved[3], chunk_t *sig);
! 144:
! 145: /**
! 146: * Add a hash algorithm supported by the peer for signature authentication.
! 147: *
! 148: * @param hash hash algorithm
! 149: */
! 150: void (*add_hash_algorithm)(keymat_v2_t *this, hash_algorithm_t hash);
! 151:
! 152: /**
! 153: * Check if a given hash algorithm is supported by the peer for signature
! 154: * authentication.
! 155: *
! 156: * @param hash hash algorithm
! 157: * @return TRUE if supported, FALSE otherwise
! 158: */
! 159: bool (*hash_algorithm_supported)(keymat_v2_t *this, hash_algorithm_t hash);
! 160: };
! 161:
! 162: /**
! 163: * Create a keymat instance.
! 164: *
! 165: * @param initiator TRUE if we are the initiator
! 166: * @return keymat instance
! 167: */
! 168: keymat_v2_t *keymat_v2_create(bool initiator);
! 169:
! 170: #endif /** KEYMAT_V2_H_ @}*/
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>
![[BACK]](/icons/cvsweb/back.gif){kind=icon}
Return to keymat_v2.h CVS log ![[TXT]](/icons/cvsweb/text.gif){kind=icon}
![[DIR]](/icons/cvsweb/dir.gif){kind=icon}
Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / strongswan / src / libcharon / sa / ikev2