aboutsummaryrefslogtreecommitdiffstats
path: root/src
diff options
context:
space:
mode:
authorAdrian-Ken Rueegsegger <ken@codelabs.ch>2012-09-18 15:21:08 +0200
committerTobias Brunner <tobias@strongswan.org>2013-03-19 15:23:48 +0100
commit2ac988bf4bbd24ef58aad789ab9bcc82dd66633b (patch)
treece2d8f2f104fb73886f53375c95df4cd9dad70ac /src
parente472129aa363daa3a3b7eb619442c158b1409c3f (diff)
downloadstrongswan-2ac988bf4bbd24ef58aad789ab9bcc82dd66633b.tar.bz2
strongswan-2ac988bf4bbd24ef58aad789ab9bcc82dd66633b.tar.xz
Implement IKE SA rekeying
Use the TKM ike_isa_create_child exchange to rekey an IKE SA. The isa context id is passed on (ab)using the rekey_skd chunk.
Diffstat (limited to 'src')
-rw-r--r--src/charon-tkm/src/tkm/tkm_keymat.c38
1 files changed, 29 insertions, 9 deletions
diff --git a/src/charon-tkm/src/tkm/tkm_keymat.c b/src/charon-tkm/src/tkm/tkm_keymat.c
index f9fd57ae0..9783724e2 100644
--- a/src/charon-tkm/src/tkm/tkm_keymat.c
+++ b/src/charon-tkm/src/tkm/tkm_keymat.c
@@ -230,15 +230,36 @@ METHOD(tkm_keymat_t, derive_ike_keys, bool,
spi_rem = id->get_initiator_spi(id);
}
+ result_type res;
key_type sk_ai, sk_ar, sk_ei, sk_er;
- DBG1(DBG_IKE, "deriving IKE keys (nc: %llu, dh: %llu, spi_loc: %llx, "
- "spi_rem: %llx)", nc_id, dh_id, spi_loc, spi_rem);
- /* Fake some data for now */
- if (ike_isa_create(this->isa_ctx_id, this->ae_ctx_id, 1, dh_id, nc_id,
- nonce_rem, 1, spi_loc, spi_rem,
- &sk_ai, &sk_ar, &sk_ei, &sk_er) != TKM_OK)
+ if (rekey_function == PRF_UNDEFINED)
{
- DBG1(DBG_IKE, "key derivation failed");
+ DBG1(DBG_IKE, "deriving IKE keys (nc: %llu, dh: %llu, spi_loc: %llx, "
+ "spi_rem: %llx)", nc_id, dh_id, spi_loc, spi_rem);
+ res = ike_isa_create(this->isa_ctx_id, this->ae_ctx_id, 1, dh_id, nc_id,
+ nonce_rem, this->initiator, spi_loc, spi_rem,
+ &sk_ai, &sk_ar, &sk_ei, &sk_er);
+ }
+ else
+ {
+ if (rekey_skd.ptr == NULL || rekey_skd.len != sizeof(isa_id_type))
+ {
+ DBG1(DBG_IKE, "unable to retrieve parent isa context id");
+ return FALSE;
+ }
+ const isa_id_type parent_isa_id = *((isa_id_type *)(rekey_skd.ptr));
+ DBG1(DBG_IKE, "deriving IKE keys (parent_isa: %llu, nc: %llu, dh: %llu,"
+ "spi_loc: %llx, spi_rem: %llx)", parent_isa_id, nc_id, dh_id,
+ spi_loc, spi_rem);
+ res = ike_isa_create_child(this->isa_ctx_id, parent_isa_id, 1, dh_id,
+ nc_id, nonce_rem, this->initiator, spi_loc,
+ spi_rem, &sk_ai, &sk_ar, &sk_ei, &sk_er);
+ chunk_free(&rekey_skd);
+ }
+
+ if (res != TKM_OK)
+ {
+ DBG1(DBG_IKE, "key derivation failed (isa: %llu)", this->isa_ctx_id);
return FALSE;
}
@@ -336,8 +357,7 @@ METHOD(tkm_keymat_t, get_auth_octets, bool,
METHOD(tkm_keymat_t, get_skd, pseudo_random_function_t,
private_tkm_keymat_t *this, chunk_t *skd)
{
- DBG1(DBG_IKE, "returning skd");
- *skd = chunk_empty;
+ *skd = chunk_clone(chunk_from_thing(this->isa_ctx_id));
return PRF_HMAC_SHA2_512;
}