From f1e908837af7bf77bbb05c7ccaf2ba49a2f9f2ab Mon Sep 17 00:00:00 2001 From: Tobias Brunner Date: Tue, 19 Jan 2016 14:42:17 +0100 Subject: [PATCH] ha: Add DH group to IKE_ADD message It is required for IKEv1 to determine the DH group of the CHILD SAs during rekeying. It also fixes the status output for HA SAs, which so far haven't shown the DH group on the passive side. Fixes #1267. --- src/libcharon/plugins/ha/ha_dispatcher.c | 8 ++++++++ src/libcharon/plugins/ha/ha_ike.c | 4 ++++ src/libcharon/plugins/ha/ha_message.c | 2 ++ src/libcharon/plugins/ha/ha_message.h | 2 ++ 4 files changed, 16 insertions(+) diff --git a/src/libcharon/plugins/ha/ha_dispatcher.c b/src/libcharon/plugins/ha/ha_dispatcher.c index 07ef607..8ea28a4 100644 --- a/src/libcharon/plugins/ha/ha_dispatcher.c +++ b/src/libcharon/plugins/ha/ha_dispatcher.c @@ -132,6 +132,7 @@ static void process_ike_add(private_ha_dispatcher_t *this, ha_message_t *message ike_sa_t *ike_sa = NULL, *old_sa = NULL; ike_version_t version = IKEV2; u_int16_t encr = 0, len = 0, integ = 0, prf = 0, old_prf = PRF_UNDEFINED; + u_int16_t dh_grp = 0; chunk_t nonce_i = chunk_empty, nonce_r = chunk_empty; chunk_t secret = chunk_empty, old_skd = chunk_empty; chunk_t dh_local = chunk_empty, dh_remote = chunk_empty, psk = chunk_empty; @@ -193,6 +194,9 @@ static void process_ike_add(private_ha_dispatcher_t *this, ha_message_t *message case HA_ALG_OLD_PRF: old_prf = value.u16; break; + case HA_ALG_DH: + dh_grp = value.u16; + break; default: break; } @@ -217,6 +221,10 @@ static void process_ike_add(private_ha_dispatcher_t *this, ha_message_t *message { proposal->add_algorithm(proposal, PSEUDO_RANDOM_FUNCTION, prf, 0); } + if (dh_grp) + { + proposal->add_algorithm(proposal, DIFFIE_HELLMAN_GROUP, dh_grp, 0); + } charon->bus->set_sa(charon->bus, ike_sa); dh = ha_diffie_hellman_create(secret, dh_local); if (ike_sa->get_version(ike_sa) == IKEV2) diff --git a/src/libcharon/plugins/ha/ha_ike.c b/src/libcharon/plugins/ha/ha_ike.c index 7492dd0..f0671c5 100644 --- a/src/libcharon/plugins/ha/ha_ike.c +++ b/src/libcharon/plugins/ha/ha_ike.c @@ -121,6 +121,10 @@ METHOD(listener_t, ike_keys, bool, { m->add_attribute(m, HA_ALG_PRF, alg); } + if (proposal->get_algorithm(proposal, DIFFIE_HELLMAN_GROUP, &alg, NULL)) + { + m->add_attribute(m, HA_ALG_DH, alg); + } m->add_attribute(m, HA_NONCE_I, nonce_i); m->add_attribute(m, HA_NONCE_R, nonce_r); m->add_attribute(m, HA_SECRET, secret); diff --git a/src/libcharon/plugins/ha/ha_message.c b/src/libcharon/plugins/ha/ha_message.c index 6b00ed8..b40219c 100644 --- a/src/libcharon/plugins/ha/ha_message.c +++ b/src/libcharon/plugins/ha/ha_message.c @@ -230,6 +230,7 @@ METHOD(ha_message_t, add_attribute, void, break; } /* u_int16_t */ + case HA_ALG_DH: case HA_ALG_PRF: case HA_ALG_OLD_PRF: case HA_ALG_ENCR: @@ -450,6 +451,7 @@ METHOD(enumerator_t, attribute_enumerate, bool, return TRUE; } /** u_int16_t */ + case HA_ALG_DH: case HA_ALG_PRF: case HA_ALG_OLD_PRF: case HA_ALG_ENCR: diff --git a/src/libcharon/plugins/ha/ha_message.h b/src/libcharon/plugins/ha/ha_message.h index 2ccb1fc..fe1786e 100644 --- a/src/libcharon/plugins/ha/ha_message.h +++ b/src/libcharon/plugins/ha/ha_message.h @@ -122,6 +122,8 @@ enum ha_message_attribute_t { HA_ALG_ENCR_LEN, /** u_int16_t, integrity protection algorithm */ HA_ALG_INTEG, + /** u_int16_t, DH group */ + HA_ALG_DH, /** u_int8_t, IPsec mode, TUNNEL|TRANSPORT|... */ HA_IPSEC_MODE, /** u_int8_t, IPComp protocol */ -- 2.7.4