[strongSwan-dev] New pull request for feature saveKeys

Emeric POUPON emeric.poupon at stormshield.eu
Thu Aug 11 10:42:29 CEST 2016


Hi,

Indeed you are right, you have to make a key derivation again.
Since this plugin is likely to be used for debugging purpose, it does not sound that bad to rederive keys in your plugin.

Another possibility: in the ike_state_change event processing, get the aead_t that is used (ike_sa->get_keymat->get_aead)
and implement new accessors to get back the underlying alg/keys used for encryption/integrity?

No obvious solution for CHILD SA though, it looks like keys are derived, injected into the kernel and then no longer stored.

Emeric


----- Original Message -----
From: "Codrut Grosu" <cgrosu at ixiacom.com>
To: "Emeric POUPON" <emeric.poupon at stormshield.eu>
Cc: dev at lists.strongswan.org
Sent: Thursday, 11 August, 2016 10:27:25
Subject: Re: [strongSwan-dev] New pull request for feature saveKeys

Hi Emeric,



As pointed out by Tobias Brunner in [1], at comments, with the hook functions for ike_keys and child_keys in the listener_t interface  I won't get the derived keys.


About  ike_state_change, I will need to take a look at that function.


Thanks for feed-back,
Codrut.


[1]: https://wiki.strongswan.org/issues/1557

Feature #1557: An option to save IKE_SA and CHILD_SA keys for wireshark - strongSwan<https://wiki.strongswan.org/issues/1557>
wiki.strongswan.org
Redmine




________________________________
From: Emeric POUPON <emeric.poupon at stormshield.eu>
Sent: Thursday, August 11, 2016 11:09 AM
To: Codrut Grosu
Cc: dev at lists.strongswan.org
Subject: Re: [strongSwan-dev] New pull request for feature saveKeys

Hello,

Well I am not a strongSwan internal expert, but you could have used already existing messages in order to save what you need?
There already are some hooks used by the HA plugin to replicate states on different nodes of a HA cluster.

For example:
- ike_state_change -> on ESTABLISHED, get the SPIs
- ike_keys -> get the IKE SA keys
- child_keys -> get the CHILD SA keys


Regards,

Emeric


----- Original Message -----
From: "Codrut Grosu" <cgrosu at ixiacom.com>
To: dev at lists.strongswan.org
Sent: Thursday, 11 August, 2016 09:51:05
Subject: [strongSwan-dev] New pull request for feature saveKeys

Hi,




I finished writing the code for feature [1].




I created a pull request to merge the code with the upstream. [2]




Can you please take a look at the code?




Cheers,

Codrut.







[1]: https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2fwiki.strongswan.org%2fissues%2f1557&data=01%7c01%7ccgrosu%40ixiacom.com%7cb85797c0259a444b47c308d3c1bfc353%7c069fd614e3f843728e18cd06724a9b23%7c0&sdata=LJYUv1ALwu%2fWj%2fzzWSXUhKCwbDKXSElZ1g1TNxrbmMw%3d

[2]: https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2fgithub.com%2fstrongswan%2fstrongswan%2fpull%2f49&data=01%7c01%7ccgrosu%40ixiacom.com%7cb85797c0259a444b47c308d3c1bfc353%7c069fd614e3f843728e18cd06724a9b23%7c0&sdata=SQ5onUssqDVWXVP5T3cj9GphCf0UU%2b%2fbn0SJ3b1B3Bc%3d



An option to save IKE_SA and CHILD_SA keys for wireshark by superCodrut · Pull Request #49 · strongswan/strongswan
github.com
This is the first patch series for feature #1557.


_______________________________________________
Dev mailing list
Dev at lists.strongswan.org
https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2flists.strongswan.org%2fmailman%2flistinfo%2fdev&data=01%7c01%7ccgrosu%40ixiacom.com%7cb85797c0259a444b47c308d3c1bfc353%7c069fd614e3f843728e18cd06724a9b23%7c0&sdata=i5PFm20ezZwF%2bOA%2bq7SGFdFfaTQbWAzsQTvyIUK0VSc%3d


More information about the Dev mailing list