Store peer IKE init message
authorAdrian-Ken Rueegsegger <ken@codelabs.ch>
Wed, 7 Nov 2012 16:54:24 +0000 (17:54 +0100)
committerTobias Brunner <tobias@strongswan.org>
Tue, 19 Mar 2013 14:23:49 +0000 (15:23 +0100)
The IKE init message sent to us by the peer is needed for authentication
in the authorization hook. Store the message as chunk in the keymat and
provide a getter to make it available.

src/charon-tkm/src/tkm/tkm_keymat.c
src/charon-tkm/src/tkm/tkm_keymat.h

index 9beb104..2fc5d60 100644 (file)
@@ -66,6 +66,11 @@ struct private_tkm_keymat_t {
         */
        chunk_t auth_payload;
 
+       /**
+        * Peer init message chunk.
+        */
+       chunk_t other_init_msg;
+
 };
 
 /**
@@ -357,6 +362,11 @@ METHOD(keymat_v2_t, get_auth_octets, bool,
        private_tkm_keymat_t *this, bool verify, chunk_t ike_sa_init,
        chunk_t nonce, identification_t *id, char reserved[3], chunk_t *octets)
 {
+       if (verify)
+       {
+               /* store peer init message for authentication step */
+               this->other_init_msg = chunk_clone(ike_sa_init);
+       }
        DBG1(DBG_IKE, "returning auth octets");
        *octets = chunk_empty;
        return TRUE;
@@ -432,6 +442,7 @@ METHOD(keymat_t, destroy, void,
        DESTROY_IF(this->aead_in);
        DESTROY_IF(this->aead_out);
        chunk_free(&this->auth_payload);
+       chunk_free(&this->other_init_msg);
        free(this);
 }
 
@@ -453,6 +464,12 @@ METHOD(tkm_keymat_t, get_auth_payload, chunk_t*,
        return &this->auth_payload;
 }
 
+METHOD(tkm_keymat_t, get_peer_init_msg, chunk_t*,
+       private_tkm_keymat_t *this)
+{
+       return &this->other_init_msg;
+}
+
 /**
  * See header.
  */
@@ -479,11 +496,13 @@ tkm_keymat_t *tkm_keymat_create(bool initiator)
                        .get_isa_id = _get_isa_id,
                        .set_auth_payload = _set_auth_payload,
                        .get_auth_payload = _get_auth_payload,
+                       .get_peer_init_msg = _get_peer_init_msg,
                },
                .initiator = initiator,
                .isa_ctx_id = tkm->idmgr->acquire_id(tkm->idmgr, TKM_CTX_ISA),
                .ae_ctx_id = 0,
                .auth_payload = chunk_empty,
+               .other_init_msg = chunk_empty,
        );
 
        if (!this->isa_ctx_id)
index 16f2f2a..207f972 100644 (file)
@@ -52,6 +52,13 @@ struct tkm_keymat_t {
         */
        chunk_t* (*get_auth_payload)(tkm_keymat_t * const this);
 
+       /**
+        * Get IKE init message of peer.
+        *
+        * @return                              init message if set, chunk_empty otherwise
+        */
+       chunk_t* (*get_peer_init_msg)(tkm_keymat_t * const this);
+
 };
 
 /**