ha: Add auth method for HA IKEv1 key derivation
authorThomas Egerer <thomas.egerer@secunet.com>
Thu, 22 Nov 2018 17:08:51 +0000 (18:08 +0100)
committerTobias Brunner <tobias@strongswan.org>
Fri, 7 Dec 2018 09:17:56 +0000 (10:17 +0100)
Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
src/libcharon/bus/bus.c
src/libcharon/bus/bus.h
src/libcharon/bus/listeners/listener.h
src/libcharon/plugins/ha/ha_dispatcher.c
src/libcharon/plugins/ha/ha_ike.c
src/libcharon/plugins/ha/ha_message.c
src/libcharon/plugins/ha/ha_message.h
src/libcharon/sa/ikev1/phase1.c
src/libcharon/sa/ikev2/tasks/ike_init.c

index f4c01c2..b7348f0 100644 (file)
@@ -575,7 +575,7 @@ METHOD(bus_t, message, void,
 METHOD(bus_t, ike_keys, void,
        private_bus_t *this, ike_sa_t *ike_sa, diffie_hellman_t *dh,
        chunk_t dh_other, chunk_t nonce_i, chunk_t nonce_r,
-       ike_sa_t *rekey, shared_key_t *shared)
+       ike_sa_t *rekey, shared_key_t *shared, auth_method_t method)
 {
        enumerator_t *enumerator;
        entry_t *entry;
@@ -591,7 +591,8 @@ METHOD(bus_t, ike_keys, void,
                }
                entry->calling++;
                keep = entry->listener->ike_keys(entry->listener, ike_sa, dh, dh_other,
-                                                                                nonce_i, nonce_r, rekey, shared);
+                                                                                nonce_i, nonce_r, rekey, shared,
+                                                                                method);
                entry->calling--;
                if (!keep)
                {
index df75683..8a97e8d 100644 (file)
@@ -353,10 +353,12 @@ struct bus_t {
         * @param nonce_r       responder's nonce
         * @param rekey         IKE_SA we are rekeying, if any (IKEv2 only)
         * @param shared        shared key used for key derivation (IKEv1-PSK only)
+        * @param method        auth method for key derivation (IKEv1-non-PSK only)
         */
        void (*ike_keys)(bus_t *this, ike_sa_t *ike_sa, diffie_hellman_t *dh,
                                         chunk_t dh_other, chunk_t nonce_i, chunk_t nonce_r,
-                                        ike_sa_t *rekey, shared_key_t *shared);
+                                        ike_sa_t *rekey, shared_key_t *shared,
+                                        auth_method_t method);
 
        /**
         * IKE_SA derived keys hook.
index 06057eb..0f3b857 100644 (file)
@@ -88,11 +88,13 @@ struct listener_t {
         * @param nonce_r       responder's nonce
         * @param rekey         IKE_SA we are rekeying, if any (IKEv2 only)
         * @param shared        shared key used for key derivation (IKEv1-PSK only)
+        * @param method        auth method for key derivation (IKEv1-non-PSK only)
         * @return                      TRUE to stay registered, FALSE to unregister
         */
        bool (*ike_keys)(listener_t *this, ike_sa_t *ike_sa, diffie_hellman_t *dh,
                                         chunk_t dh_other, chunk_t nonce_i, chunk_t nonce_r,
-                                        ike_sa_t *rekey, shared_key_t *shared);
+                                        ike_sa_t *rekey, shared_key_t *shared,
+                                        auth_method_t method);
 
        /**
         * Hook called with derived IKE_SA keys.
index 4e38038..ab84531 100644 (file)
@@ -138,6 +138,7 @@ static void process_ike_add(private_ha_dispatcher_t *this, ha_message_t *message
        chunk_t dh_local = chunk_empty, dh_remote = chunk_empty, psk = chunk_empty;
        host_t *other = NULL;
        bool ok = FALSE;
+       auth_method_t method = AUTH_RSA;
 
        enumerator = message->create_attribute_enumerator(message);
        while (enumerator->enumerate(enumerator, &attribute, &value))
@@ -197,6 +198,8 @@ static void process_ike_add(private_ha_dispatcher_t *this, ha_message_t *message
                        case HA_ALG_DH:
                                dh_grp = value.u16;
                                break;
+                       case HA_AUTH_METHOD:
+                               method = value.u16;
                        default:
                                break;
                }
@@ -238,7 +241,6 @@ static void process_ike_add(private_ha_dispatcher_t *this, ha_message_t *message
                {
                        keymat_v1_t *keymat_v1 = (keymat_v1_t*)ike_sa->get_keymat(ike_sa);
                        shared_key_t *shared = NULL;
-                       auth_method_t method = AUTH_RSA;
 
                        if (psk.len)
                        {
index 2854ab7..aae402d 100644 (file)
@@ -73,7 +73,7 @@ static ike_extension_t copy_extension(ike_sa_t *ike_sa, ike_extension_t ext)
 METHOD(listener_t, ike_keys, bool,
        private_ha_ike_t *this, ike_sa_t *ike_sa, diffie_hellman_t *dh,
        chunk_t dh_other, chunk_t nonce_i, chunk_t nonce_r, ike_sa_t *rekey,
-       shared_key_t *shared)
+       shared_key_t *shared, auth_method_t method)
 {
        ha_message_t *m;
        chunk_t secret;
@@ -141,6 +141,10 @@ METHOD(listener_t, ike_keys, bool,
                {
                        m->add_attribute(m, HA_PSK, shared->get_key(shared));
                }
+               else
+               {
+                       m->add_attribute(m, HA_AUTH_METHOD, method);
+               }
        }
        m->add_attribute(m, HA_REMOTE_ADDR, ike_sa->get_other_host(ike_sa));
 
index 7891b16..28b7b0d 100644 (file)
@@ -240,6 +240,7 @@ METHOD(ha_message_t, add_attribute, void,
                case HA_OUTBOUND_CPI:
                case HA_SEGMENT:
                case HA_ESN:
+               case HA_AUTH_METHOD:
                {
                        uint16_t val;
 
@@ -463,6 +464,7 @@ METHOD(enumerator_t, attribute_enumerate, bool,
                case HA_OUTBOUND_CPI:
                case HA_SEGMENT:
                case HA_ESN:
+               case HA_AUTH_METHOD:
                {
                        if (this->buf.len < sizeof(uint16_t))
                        {
index 3e43dc8..3c0058d 100644 (file)
@@ -156,6 +156,8 @@ enum ha_message_attribute_t {
        HA_PSK,
        /** chunk_t, IV for next IKEv1 message */
        HA_IV,
+       /** uint16_t, auth_method_t for IKEv1 key derivation */
+       HA_AUTH_METHOD,
 };
 
 /**
index b99d751..ac2899f 100644 (file)
@@ -251,7 +251,8 @@ METHOD(phase1_t, derive_keys, bool,
                return FALSE;
        }
        charon->bus->ike_keys(charon->bus, this->ike_sa, this->dh, this->dh_value,
-                                                 this->nonce_i, this->nonce_r, NULL, shared_key);
+                                                 this->nonce_i, this->nonce_r, NULL, shared_key,
+                                                 method);
        DESTROY_IF(shared_key);
        return TRUE;
 }
index 307d992..b508618 100644 (file)
@@ -773,7 +773,7 @@ static bool derive_keys(private_ike_init_t *this,
                return FALSE;
        }
        charon->bus->ike_keys(charon->bus, this->ike_sa, this->dh, chunk_empty,
-                                                 nonce_i, nonce_r, this->old_sa, NULL);
+                                                 nonce_i, nonce_r, this->old_sa, NULL, AUTH_NONE);
        return TRUE;
 }