ha: Add auth method for HA IKEv1 key derivation

Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>

src/libcharon/bus/bus.c

@@ -575,7 +575,7 @@ METHOD(bus_t, message, void,
 METHOD(bus_t, ike_keys, void,
 	private_bus_t *this, ike_sa_t *ike_sa, diffie_hellman_t *dh,
 	chunk_t dh_other, chunk_t nonce_i, chunk_t nonce_r,
-	ike_sa_t *rekey, shared_key_t *shared)
+	ike_sa_t *rekey, shared_key_t *shared, auth_method_t method)
 {
 	enumerator_t *enumerator;
 	entry_t *entry;
@@ -591,7 +591,8 @@ METHOD(bus_t, ike_keys, void,
 		}
 		entry->calling++;
 		keep = entry->listener->ike_keys(entry->listener, ike_sa, dh, dh_other,
-										 nonce_i, nonce_r, rekey, shared);
+										 nonce_i, nonce_r, rekey, shared,
+										 method);
 		entry->calling--;
 		if (!keep)
 		{

src/libcharon/bus/bus.h

@@ -353,10 +353,12 @@ struct bus_t {
 	 * @param nonce_r	responder's nonce
 	 * @param rekey		IKE_SA we are rekeying, if any (IKEv2 only)
 	 * @param shared	shared key used for key derivation (IKEv1-PSK only)
+	 * @param method	auth method for key derivation (IKEv1-non-PSK only)
 	 */
 	void (*ike_keys)(bus_t *this, ike_sa_t *ike_sa, diffie_hellman_t *dh,
 					 chunk_t dh_other, chunk_t nonce_i, chunk_t nonce_r,
-					 ike_sa_t *rekey, shared_key_t *shared);
+					 ike_sa_t *rekey, shared_key_t *shared,
+					 auth_method_t method);
 
 	/**
 	 * IKE_SA derived keys hook.

src/libcharon/bus/listeners/listener.h

@@ -88,11 +88,13 @@ struct listener_t {
 	 * @param nonce_r	responder's nonce
 	 * @param rekey		IKE_SA we are rekeying, if any (IKEv2 only)
 	 * @param shared	shared key used for key derivation (IKEv1-PSK only)
+	 * @param method	auth method for key derivation (IKEv1-non-PSK only)
 	 * @return			TRUE to stay registered, FALSE to unregister
 	 */
 	bool (*ike_keys)(listener_t *this, ike_sa_t *ike_sa, diffie_hellman_t *dh,
 					 chunk_t dh_other, chunk_t nonce_i, chunk_t nonce_r,
-					 ike_sa_t *rekey, shared_key_t *shared);
+					 ike_sa_t *rekey, shared_key_t *shared,
+					 auth_method_t method);
 
 	/**
 	 * Hook called with derived IKE_SA keys.

src/libcharon/plugins/ha/ha_dispatcher.c

@@ -138,6 +138,7 @@ static void process_ike_add(private_ha_dispatcher_t *this, ha_message_t *message
 	chunk_t dh_local = chunk_empty, dh_remote = chunk_empty, psk = chunk_empty;
 	host_t *other = NULL;
 	bool ok = FALSE;
+	auth_method_t method = AUTH_RSA;
 
 	enumerator = message->create_attribute_enumerator(message);
 	while (enumerator->enumerate(enumerator, &attribute, &value))
@@ -197,6 +198,8 @@ static void process_ike_add(private_ha_dispatcher_t *this, ha_message_t *message
 			case HA_ALG_DH:
 				dh_grp = value.u16;
 				break;
+			case HA_AUTH_METHOD:
+				method = value.u16;
 			default:
 				break;
 		}
@@ -238,7 +241,6 @@ static void process_ike_add(private_ha_dispatcher_t *this, ha_message_t *message
 		{
 			keymat_v1_t *keymat_v1 = (keymat_v1_t*)ike_sa->get_keymat(ike_sa);
 			shared_key_t *shared = NULL;
-			auth_method_t method = AUTH_RSA;
 
 			if (psk.len)
 			{

src/libcharon/plugins/ha/ha_ike.c

@@ -73,7 +73,7 @@ static ike_extension_t copy_extension(ike_sa_t *ike_sa, ike_extension_t ext)
 METHOD(listener_t, ike_keys, bool,
 	private_ha_ike_t *this, ike_sa_t *ike_sa, diffie_hellman_t *dh,
 	chunk_t dh_other, chunk_t nonce_i, chunk_t nonce_r, ike_sa_t *rekey,
-	shared_key_t *shared)
+	shared_key_t *shared, auth_method_t method)
 {
 	ha_message_t *m;
 	chunk_t secret;
@@ -141,6 +141,10 @@ METHOD(listener_t, ike_keys, bool,
 		{
 			m->add_attribute(m, HA_PSK, shared->get_key(shared));
 		}
+		else
+		{
+			m->add_attribute(m, HA_AUTH_METHOD, method);
+		}
 	}
 	m->add_attribute(m, HA_REMOTE_ADDR, ike_sa->get_other_host(ike_sa));
 

src/libcharon/plugins/ha/ha_message.c

@@ -240,6 +240,7 @@ METHOD(ha_message_t, add_attribute, void,
 		case HA_OUTBOUND_CPI:
 		case HA_SEGMENT:
 		case HA_ESN:
+		case HA_AUTH_METHOD:
 		{
 			uint16_t val;
 
@@ -463,6 +464,7 @@ METHOD(enumerator_t, attribute_enumerate, bool,
 		case HA_OUTBOUND_CPI:
 		case HA_SEGMENT:
 		case HA_ESN:
+		case HA_AUTH_METHOD:
 		{
 			if (this->buf.len < sizeof(uint16_t))
 			{

src/libcharon/plugins/ha/ha_message.h

@@ -156,6 +156,8 @@ enum ha_message_attribute_t {
 	HA_PSK,
 	/** chunk_t, IV for next IKEv1 message */
 	HA_IV,
+	/** uint16_t, auth_method_t for IKEv1 key derivation */
+	HA_AUTH_METHOD,
 };
 
 /**

src/libcharon/sa/ikev1/phase1.c

@@ -251,7 +251,8 @@ METHOD(phase1_t, derive_keys, bool,
 		return FALSE;
 	}
 	charon->bus->ike_keys(charon->bus, this->ike_sa, this->dh, this->dh_value,
-						  this->nonce_i, this->nonce_r, NULL, shared_key);
+						  this->nonce_i, this->nonce_r, NULL, shared_key,
+						  method);
 	DESTROY_IF(shared_key);
 	return TRUE;
 }

src/libcharon/sa/ikev2/tasks/ike_init.c

@@ -773,7 +773,7 @@ static bool derive_keys(private_ike_init_t *this,
 		return FALSE;
 	}
 	charon->bus->ike_keys(charon->bus, this->ike_sa, this->dh, chunk_empty,
-						  nonce_i, nonce_r, this->old_sa, NULL);
+						  nonce_i, nonce_r, this->old_sa, NULL, AUTH_NONE);
 	return TRUE;
 }