diff options
author | Adrian-Ken Rueegsegger <ken@codelabs.ch> | 2012-09-18 15:21:08 +0200 |
---|---|---|
committer | Tobias Brunner <tobias@strongswan.org> | 2013-03-19 15:23:48 +0100 |
commit | 2ac988bf4bbd24ef58aad789ab9bcc82dd66633b (patch) | |
tree | ce2d8f2f104fb73886f53375c95df4cd9dad70ac /src | |
parent | e472129aa363daa3a3b7eb619442c158b1409c3f (diff) | |
download | strongswan-2ac988bf4bbd24ef58aad789ab9bcc82dd66633b.tar.bz2 strongswan-2ac988bf4bbd24ef58aad789ab9bcc82dd66633b.tar.xz |
Implement IKE SA rekeying
Use the TKM ike_isa_create_child exchange to rekey an IKE SA. The isa context id
is passed on (ab)using the rekey_skd chunk.
Diffstat (limited to 'src')
-rw-r--r-- | src/charon-tkm/src/tkm/tkm_keymat.c | 38 |
1 files changed, 29 insertions, 9 deletions
diff --git a/src/charon-tkm/src/tkm/tkm_keymat.c b/src/charon-tkm/src/tkm/tkm_keymat.c index f9fd57ae0..9783724e2 100644 --- a/src/charon-tkm/src/tkm/tkm_keymat.c +++ b/src/charon-tkm/src/tkm/tkm_keymat.c @@ -230,15 +230,36 @@ METHOD(tkm_keymat_t, derive_ike_keys, bool, spi_rem = id->get_initiator_spi(id); } + result_type res; key_type sk_ai, sk_ar, sk_ei, sk_er; - DBG1(DBG_IKE, "deriving IKE keys (nc: %llu, dh: %llu, spi_loc: %llx, " - "spi_rem: %llx)", nc_id, dh_id, spi_loc, spi_rem); - /* Fake some data for now */ - if (ike_isa_create(this->isa_ctx_id, this->ae_ctx_id, 1, dh_id, nc_id, - nonce_rem, 1, spi_loc, spi_rem, - &sk_ai, &sk_ar, &sk_ei, &sk_er) != TKM_OK) + if (rekey_function == PRF_UNDEFINED) { - DBG1(DBG_IKE, "key derivation failed"); + DBG1(DBG_IKE, "deriving IKE keys (nc: %llu, dh: %llu, spi_loc: %llx, " + "spi_rem: %llx)", nc_id, dh_id, spi_loc, spi_rem); + res = ike_isa_create(this->isa_ctx_id, this->ae_ctx_id, 1, dh_id, nc_id, + nonce_rem, this->initiator, spi_loc, spi_rem, + &sk_ai, &sk_ar, &sk_ei, &sk_er); + } + else + { + if (rekey_skd.ptr == NULL || rekey_skd.len != sizeof(isa_id_type)) + { + DBG1(DBG_IKE, "unable to retrieve parent isa context id"); + return FALSE; + } + const isa_id_type parent_isa_id = *((isa_id_type *)(rekey_skd.ptr)); + DBG1(DBG_IKE, "deriving IKE keys (parent_isa: %llu, nc: %llu, dh: %llu," + "spi_loc: %llx, spi_rem: %llx)", parent_isa_id, nc_id, dh_id, + spi_loc, spi_rem); + res = ike_isa_create_child(this->isa_ctx_id, parent_isa_id, 1, dh_id, + nc_id, nonce_rem, this->initiator, spi_loc, + spi_rem, &sk_ai, &sk_ar, &sk_ei, &sk_er); + chunk_free(&rekey_skd); + } + + if (res != TKM_OK) + { + DBG1(DBG_IKE, "key derivation failed (isa: %llu)", this->isa_ctx_id); return FALSE; } @@ -336,8 +357,7 @@ METHOD(tkm_keymat_t, get_auth_octets, bool, METHOD(tkm_keymat_t, get_skd, pseudo_random_function_t, private_tkm_keymat_t *this, chunk_t *skd) { - DBG1(DBG_IKE, "returning skd"); - *skd = chunk_empty; + *skd = chunk_clone(chunk_from_thing(this->isa_ctx_id)); return PRF_HMAC_SHA2_512; } |