ha: Add auth method for HA IKEv1 key derivation
Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
This commit is contained in:
parent
13f92f649e
commit
eed20c21d3
|
@ -575,7 +575,7 @@ METHOD(bus_t, message, void,
|
|||
METHOD(bus_t, ike_keys, void,
|
||||
private_bus_t *this, ike_sa_t *ike_sa, diffie_hellman_t *dh,
|
||||
chunk_t dh_other, chunk_t nonce_i, chunk_t nonce_r,
|
||||
ike_sa_t *rekey, shared_key_t *shared)
|
||||
ike_sa_t *rekey, shared_key_t *shared, auth_method_t method)
|
||||
{
|
||||
enumerator_t *enumerator;
|
||||
entry_t *entry;
|
||||
|
@ -591,7 +591,8 @@ METHOD(bus_t, ike_keys, void,
|
|||
}
|
||||
entry->calling++;
|
||||
keep = entry->listener->ike_keys(entry->listener, ike_sa, dh, dh_other,
|
||||
nonce_i, nonce_r, rekey, shared);
|
||||
nonce_i, nonce_r, rekey, shared,
|
||||
method);
|
||||
entry->calling--;
|
||||
if (!keep)
|
||||
{
|
||||
|
|
|
@ -353,10 +353,12 @@ struct bus_t {
|
|||
* @param nonce_r responder's nonce
|
||||
* @param rekey IKE_SA we are rekeying, if any (IKEv2 only)
|
||||
* @param shared shared key used for key derivation (IKEv1-PSK only)
|
||||
* @param method auth method for key derivation (IKEv1-non-PSK only)
|
||||
*/
|
||||
void (*ike_keys)(bus_t *this, ike_sa_t *ike_sa, diffie_hellman_t *dh,
|
||||
chunk_t dh_other, chunk_t nonce_i, chunk_t nonce_r,
|
||||
ike_sa_t *rekey, shared_key_t *shared);
|
||||
ike_sa_t *rekey, shared_key_t *shared,
|
||||
auth_method_t method);
|
||||
|
||||
/**
|
||||
* IKE_SA derived keys hook.
|
||||
|
|
|
@ -88,11 +88,13 @@ struct listener_t {
|
|||
* @param nonce_r responder's nonce
|
||||
* @param rekey IKE_SA we are rekeying, if any (IKEv2 only)
|
||||
* @param shared shared key used for key derivation (IKEv1-PSK only)
|
||||
* @param method auth method for key derivation (IKEv1-non-PSK only)
|
||||
* @return TRUE to stay registered, FALSE to unregister
|
||||
*/
|
||||
bool (*ike_keys)(listener_t *this, ike_sa_t *ike_sa, diffie_hellman_t *dh,
|
||||
chunk_t dh_other, chunk_t nonce_i, chunk_t nonce_r,
|
||||
ike_sa_t *rekey, shared_key_t *shared);
|
||||
ike_sa_t *rekey, shared_key_t *shared,
|
||||
auth_method_t method);
|
||||
|
||||
/**
|
||||
* Hook called with derived IKE_SA keys.
|
||||
|
|
|
@ -138,6 +138,7 @@ static void process_ike_add(private_ha_dispatcher_t *this, ha_message_t *message
|
|||
chunk_t dh_local = chunk_empty, dh_remote = chunk_empty, psk = chunk_empty;
|
||||
host_t *other = NULL;
|
||||
bool ok = FALSE;
|
||||
auth_method_t method = AUTH_RSA;
|
||||
|
||||
enumerator = message->create_attribute_enumerator(message);
|
||||
while (enumerator->enumerate(enumerator, &attribute, &value))
|
||||
|
@ -197,6 +198,8 @@ static void process_ike_add(private_ha_dispatcher_t *this, ha_message_t *message
|
|||
case HA_ALG_DH:
|
||||
dh_grp = value.u16;
|
||||
break;
|
||||
case HA_AUTH_METHOD:
|
||||
method = value.u16;
|
||||
default:
|
||||
break;
|
||||
}
|
||||
|
@ -238,7 +241,6 @@ static void process_ike_add(private_ha_dispatcher_t *this, ha_message_t *message
|
|||
{
|
||||
keymat_v1_t *keymat_v1 = (keymat_v1_t*)ike_sa->get_keymat(ike_sa);
|
||||
shared_key_t *shared = NULL;
|
||||
auth_method_t method = AUTH_RSA;
|
||||
|
||||
if (psk.len)
|
||||
{
|
||||
|
|
|
@ -73,7 +73,7 @@ static ike_extension_t copy_extension(ike_sa_t *ike_sa, ike_extension_t ext)
|
|||
METHOD(listener_t, ike_keys, bool,
|
||||
private_ha_ike_t *this, ike_sa_t *ike_sa, diffie_hellman_t *dh,
|
||||
chunk_t dh_other, chunk_t nonce_i, chunk_t nonce_r, ike_sa_t *rekey,
|
||||
shared_key_t *shared)
|
||||
shared_key_t *shared, auth_method_t method)
|
||||
{
|
||||
ha_message_t *m;
|
||||
chunk_t secret;
|
||||
|
@ -141,6 +141,10 @@ METHOD(listener_t, ike_keys, bool,
|
|||
{
|
||||
m->add_attribute(m, HA_PSK, shared->get_key(shared));
|
||||
}
|
||||
else
|
||||
{
|
||||
m->add_attribute(m, HA_AUTH_METHOD, method);
|
||||
}
|
||||
}
|
||||
m->add_attribute(m, HA_REMOTE_ADDR, ike_sa->get_other_host(ike_sa));
|
||||
|
||||
|
|
|
@ -240,6 +240,7 @@ METHOD(ha_message_t, add_attribute, void,
|
|||
case HA_OUTBOUND_CPI:
|
||||
case HA_SEGMENT:
|
||||
case HA_ESN:
|
||||
case HA_AUTH_METHOD:
|
||||
{
|
||||
uint16_t val;
|
||||
|
||||
|
@ -463,6 +464,7 @@ METHOD(enumerator_t, attribute_enumerate, bool,
|
|||
case HA_OUTBOUND_CPI:
|
||||
case HA_SEGMENT:
|
||||
case HA_ESN:
|
||||
case HA_AUTH_METHOD:
|
||||
{
|
||||
if (this->buf.len < sizeof(uint16_t))
|
||||
{
|
||||
|
|
|
@ -156,6 +156,8 @@ enum ha_message_attribute_t {
|
|||
HA_PSK,
|
||||
/** chunk_t, IV for next IKEv1 message */
|
||||
HA_IV,
|
||||
/** uint16_t, auth_method_t for IKEv1 key derivation */
|
||||
HA_AUTH_METHOD,
|
||||
};
|
||||
|
||||
/**
|
||||
|
|
|
@ -251,7 +251,8 @@ METHOD(phase1_t, derive_keys, bool,
|
|||
return FALSE;
|
||||
}
|
||||
charon->bus->ike_keys(charon->bus, this->ike_sa, this->dh, this->dh_value,
|
||||
this->nonce_i, this->nonce_r, NULL, shared_key);
|
||||
this->nonce_i, this->nonce_r, NULL, shared_key,
|
||||
method);
|
||||
DESTROY_IF(shared_key);
|
||||
return TRUE;
|
||||
}
|
||||
|
|
|
@ -773,7 +773,7 @@ static bool derive_keys(private_ike_init_t *this,
|
|||
return FALSE;
|
||||
}
|
||||
charon->bus->ike_keys(charon->bus, this->ike_sa, this->dh, chunk_empty,
|
||||
nonce_i, nonce_r, this->old_sa, NULL);
|
||||
nonce_i, nonce_r, this->old_sa, NULL, AUTH_NONE);
|
||||
return TRUE;
|
||||
}
|
||||
|
||||
|
|
Loading…
Reference in New Issue