support for IKE_SA rekeying sync

5 files changed, 35 insertions, 19 deletions

diff --git a/src/charon/plugins/ha_sync/ha_sync_cache.c b/src/charon/plugins/ha_sync/ha_sync_cache.c
index 8ada9fee1..a36c8250c 100644
--- a/src/charon/plugins/ha_sync/ha_sync_cache.c
+++ b/src/charon/plugins/ha_sync/ha_sync_cache.c
@@ -202,7 +202,7 @@ static void activate(private_ha_sync_cache_t *this, u_int segment)
 				in_segment(this, ike_sa->get_other_host(ike_sa), segment))
 			{
 				this->list->remove_at(this->list, enumerator);
-				ike_sa->set_state(ike_Sa, IKE_ESTABLISHED);
+				ike_sa->set_state(ike_sa, IKE_ESTABLISHED);
 				charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa);
 			}
 		}
diff --git a/src/charon/plugins/ha_sync/ha_sync_dispatcher.c b/src/charon/plugins/ha_sync/ha_sync_dispatcher.c
index fd3a6ddc6..787321628 100644
--- a/src/charon/plugins/ha_sync/ha_sync_dispatcher.c
+++ b/src/charon/plugins/ha_sync/ha_sync_dispatcher.c
@@ -66,9 +66,10 @@ static void process_ike_add(private_ha_sync_dispatcher_t *this,
 	ha_sync_message_attribute_t attribute;
 	ha_sync_message_value_t value;
 	enumerator_t *enumerator;
-	ike_sa_t *ike_sa = NULL;
-	u_int16_t encr = 0, len = 0, integ = 0, prf = 0;
-	chunk_t nonce_i = chunk_empty, nonce_r = chunk_empty, secret = chunk_empty;
+	ike_sa_t *ike_sa = NULL, *old_sa = NULL;
+	u_int16_t encr = 0, len = 0, integ = 0, prf = 0, old_prf = PRF_UNDEFINED;
+	chunk_t nonce_i = chunk_empty, nonce_r = chunk_empty;
+	chunk_t secret = chunk_empty, old_skd = chunk_empty;
 
 	enumerator = message->create_attribute_enumerator(message);
 	while (enumerator->enumerate(enumerator, &attribute, &value))
@@ -83,7 +84,7 @@ static void process_ike_add(private_ha_sync_dispatcher_t *this,
 					 ike_sa);
 				break;
 			case HA_SYNC_IKE_REKEY_ID:
-				DBG1(DBG_IKE, "TODO: rekey HA sync");
+				old_sa = this->cache->get_ike_sa(this->cache, value.ike_sa_id);
 				break;
 			case HA_SYNC_NONCE_I:
 				nonce_i = value.chunk;
@@ -94,6 +95,9 @@ static void process_ike_add(private_ha_sync_dispatcher_t *this,
 			case HA_SYNC_SECRET:
 				secret = value.chunk;
 				break;
+			case HA_SYNC_OLD_SKD:
+				old_skd = value.chunk;
+				break;
 			case HA_SYNC_ALG_ENCR:
 				encr = value.u16;
 				break;
@@ -106,13 +110,15 @@ static void process_ike_add(private_ha_sync_dispatcher_t *this,
 			case HA_SYNC_ALG_PRF:
 				prf = value.u16;
 				break;
+			case HA_SYNC_ALG_OLD_PRF:
+				old_prf = value.u16;
+				break;
 			default:
 				break;
 		}
 	}
 	enumerator->destroy(enumerator);
 
-
 	if (ike_sa)
 	{
 		proposal_t *proposal;
@@ -137,12 +143,18 @@ static void process_ike_add(private_ha_sync_dispatcher_t *this,
 		}
 		charon->bus->set_sa(charon->bus, ike_sa);
 		if (!keymat->derive_ike_keys(keymat, proposal, &dh, nonce_i, nonce_r,
-									 ike_sa->get_id(ike_sa), NULL))
+									 ike_sa->get_id(ike_sa), old_prf, old_skd))
 		{
 			DBG1(DBG_IKE, "HA sync keymat derivation failed");
 		}
 		charon->bus->set_sa(charon->bus, NULL);
 		proposal->destroy(proposal);
+
+		if (old_sa)
+		{
+			ike_sa->inherit(ike_sa, old_sa);
+			this->cache->delete_ike_sa(this->cache, old_sa->get_id(old_sa));
+		}
 	}
 }
 
@@ -569,8 +581,6 @@ static job_requeue_t dispatch(private_ha_sync_dispatcher_t *this)
 		case HA_SYNC_IKE_DELETE:
 			process_ike_delete(this, message);
 			break;
-		case HA_SYNC_IKE_REKEY:
-			break;
 		case HA_SYNC_CHILD_ADD:
 			process_child_add(this, message);
 			break;
diff --git a/src/charon/plugins/ha_sync/ha_sync_ike.c b/src/charon/plugins/ha_sync/ha_sync_ike.c
index 2381bc367..b528a33dc 100644
--- a/src/charon/plugins/ha_sync/ha_sync_ike.c
+++ b/src/charon/plugins/ha_sync/ha_sync_ike.c
@@ -86,18 +86,18 @@ static bool ike_keys(private_ha_sync_ike_t *this, ike_sa_t *ike_sa,
 		return TRUE;
 	}
 
-	if (rekey == NULL)
-	{
-		m = ha_sync_message_create(HA_SYNC_IKE_ADD);
+	m = ha_sync_message_create(HA_SYNC_IKE_ADD);
+	m->add_attribute(m, HA_SYNC_IKE_ID, ike_sa->get_id(ike_sa));
 
-		m->add_attribute(m, HA_SYNC_IKE_ID, ike_sa->get_id(ike_sa));
-	}
-	else
+	if (rekey)
 	{
-		m = ha_sync_message_create(HA_SYNC_IKE_REKEY);
+		chunk_t skd;
+		keymat_t *keymat;
 
-		m->add_attribute(m, HA_SYNC_IKE_ID, ike_sa->get_id(ike_sa));
+		keymat = rekey->get_keymat(rekey);
 		m->add_attribute(m, HA_SYNC_IKE_REKEY_ID, rekey->get_id(rekey));
+		m->add_attribute(m, HA_SYNC_ALG_OLD_PRF, keymat->get_skd(keymat, &skd));
+		m->add_attribute(m, HA_SYNC_OLD_SKD, skd);
 	}
 
 	proposal = ike_sa->get_proposal(ike_sa);
diff --git a/src/charon/plugins/ha_sync/ha_sync_message.c b/src/charon/plugins/ha_sync/ha_sync_message.c
index ad949287c..3cf0a1011 100644
--- a/src/charon/plugins/ha_sync/ha_sync_message.c
+++ b/src/charon/plugins/ha_sync/ha_sync_message.c
@@ -219,6 +219,7 @@ static void add_attribute(private_ha_sync_message_t *this,
 		}
 		/* u_int16_t */
 		case HA_SYNC_ALG_PRF:
+		case HA_SYNC_ALG_OLD_PRF:
 		case HA_SYNC_ALG_ENCR:
 		case HA_SYNC_ALG_ENCR_LEN:
 		case HA_SYNC_ALG_INTEG:
@@ -251,6 +252,7 @@ static void add_attribute(private_ha_sync_message_t *this,
 		case HA_SYNC_NONCE_I:
 		case HA_SYNC_NONCE_R:
 		case HA_SYNC_SECRET:
+		case HA_SYNC_OLD_SKD:
 		{
 			chunk_t chunk;
 
@@ -430,6 +432,7 @@ static bool attribute_enumerate(attribute_enumerator_t *this,
 		}
 		/** u_int16_t */
 		case HA_SYNC_ALG_PRF:
+		case HA_SYNC_ALG_OLD_PRF:
 		case HA_SYNC_ALG_ENCR:
 		case HA_SYNC_ALG_ENCR_LEN:
 		case HA_SYNC_ALG_INTEG:
@@ -464,6 +467,7 @@ static bool attribute_enumerate(attribute_enumerator_t *this,
 		case HA_SYNC_NONCE_I:
 		case HA_SYNC_NONCE_R:
 		case HA_SYNC_SECRET:
+		case HA_SYNC_OLD_SKD:
 		{
 			size_t len;
 
diff --git a/src/charon/plugins/ha_sync/ha_sync_message.h b/src/charon/plugins/ha_sync/ha_sync_message.h
index c28b8424b..eec7b4f8e 100644
--- a/src/charon/plugins/ha_sync/ha_sync_message.h
+++ b/src/charon/plugins/ha_sync/ha_sync_message.h
@@ -49,8 +49,6 @@ enum ha_sync_message_type_t {
 	HA_SYNC_IKE_UPDATE,
 	/** delete an existing IKE_SA */
 	HA_SYNC_IKE_DELETE,
-	/** rekeying an existing IKE_SA, transferring CHILD_SAs to a new one */
-	HA_SYNC_IKE_REKEY,
 	/** add a new CHILD_SA */
 	HA_SYNC_CHILD_ADD,
 	/** delete an existing CHILD_SA */
@@ -93,8 +91,12 @@ enum ha_sync_message_attribute_t {
 	HA_SYNC_NONCE_R,
 	/** chunk_t, diffie hellman shared secret */
 	HA_SYNC_SECRET,
+	/** chunk_t, SKd of old SA if rekeying */
+	HA_SYNC_OLD_SKD,
 	/** u_int16_t, pseudo random function */
 	HA_SYNC_ALG_PRF,
+	/** u_int16_t, old pseudo random function if rekeying */
+	HA_SYNC_ALG_OLD_PRF,
 	/** u_int16_t, encryption algorithm */
 	HA_SYNC_ALG_ENCR,
 	/** u_int16_t, encryption key size in bytes */