ha: Add DH group to IKE_ADD message
authorTobias Brunner <tobias@strongswan.org>
Tue, 19 Jan 2016 13:42:17 +0000 (14:42 +0100)
committerTobias Brunner <tobias@strongswan.org>
Mon, 1 Feb 2016 09:50:41 +0000 (10:50 +0100)
It is required for IKEv1 to determine the DH group of the CHILD SAs
during rekeying. It also fixes the status output for HA SAs, which so
far haven't shown the DH group on the passive side.

Fixes #1267.

src/libcharon/plugins/ha/ha_dispatcher.c
src/libcharon/plugins/ha/ha_ike.c
src/libcharon/plugins/ha/ha_message.c
src/libcharon/plugins/ha/ha_message.h

index 07ef607..8ea28a4 100644 (file)
@@ -132,6 +132,7 @@ static void process_ike_add(private_ha_dispatcher_t *this, ha_message_t *message
        ike_sa_t *ike_sa = NULL, *old_sa = NULL;
        ike_version_t version = IKEV2;
        u_int16_t encr = 0, len = 0, integ = 0, prf = 0, old_prf = PRF_UNDEFINED;
+       u_int16_t dh_grp = 0;
        chunk_t nonce_i = chunk_empty, nonce_r = chunk_empty;
        chunk_t secret = chunk_empty, old_skd = chunk_empty;
        chunk_t dh_local = chunk_empty, dh_remote = chunk_empty, psk = chunk_empty;
@@ -193,6 +194,9 @@ static void process_ike_add(private_ha_dispatcher_t *this, ha_message_t *message
                        case HA_ALG_OLD_PRF:
                                old_prf = value.u16;
                                break;
+                       case HA_ALG_DH:
+                               dh_grp = value.u16;
+                               break;
                        default:
                                break;
                }
@@ -217,6 +221,10 @@ static void process_ike_add(private_ha_dispatcher_t *this, ha_message_t *message
                {
                        proposal->add_algorithm(proposal, PSEUDO_RANDOM_FUNCTION, prf, 0);
                }
+               if (dh_grp)
+               {
+                       proposal->add_algorithm(proposal, DIFFIE_HELLMAN_GROUP, dh_grp, 0);
+               }
                charon->bus->set_sa(charon->bus, ike_sa);
                dh = ha_diffie_hellman_create(secret, dh_local);
                if (ike_sa->get_version(ike_sa) == IKEV2)
index 7492dd0..f0671c5 100644 (file)
@@ -121,6 +121,10 @@ METHOD(listener_t, ike_keys, bool,
        {
                m->add_attribute(m, HA_ALG_PRF, alg);
        }
+       if (proposal->get_algorithm(proposal, DIFFIE_HELLMAN_GROUP, &alg, NULL))
+       {
+               m->add_attribute(m, HA_ALG_DH, alg);
+       }
        m->add_attribute(m, HA_NONCE_I, nonce_i);
        m->add_attribute(m, HA_NONCE_R, nonce_r);
        m->add_attribute(m, HA_SECRET, secret);
index 6b00ed8..b40219c 100644 (file)
@@ -230,6 +230,7 @@ METHOD(ha_message_t, add_attribute, void,
                        break;
                }
                /* u_int16_t */
+               case HA_ALG_DH:
                case HA_ALG_PRF:
                case HA_ALG_OLD_PRF:
                case HA_ALG_ENCR:
@@ -450,6 +451,7 @@ METHOD(enumerator_t, attribute_enumerate, bool,
                        return TRUE;
                }
                /** u_int16_t */
+               case HA_ALG_DH:
                case HA_ALG_PRF:
                case HA_ALG_OLD_PRF:
                case HA_ALG_ENCR:
index 2ccb1fc..fe1786e 100644 (file)
@@ -122,6 +122,8 @@ enum ha_message_attribute_t {
        HA_ALG_ENCR_LEN,
        /** u_int16_t, integrity protection algorithm */
        HA_ALG_INTEG,
+       /** u_int16_t, DH group */
+       HA_ALG_DH,
        /** u_int8_t, IPsec mode, TUNNEL|TRANSPORT|... */
        HA_IPSEC_MODE,
        /** u_int8_t, IPComp protocol */