aboutsummaryrefslogtreecommitdiffstats
path: root/src
diff options
context:
space:
mode:
Diffstat (limited to 'src')
-rw-r--r--src/conftest/hooks/pretend_auth.c7
-rw-r--r--src/libcharon/sa/authenticators/authenticator.c20
-rw-r--r--src/libcharon/sa/authenticators/authenticator.h8
-rw-r--r--src/libcharon/sa/authenticators/eap_authenticator.c18
-rw-r--r--src/libcharon/sa/authenticators/eap_authenticator.h8
-rw-r--r--src/libcharon/sa/authenticators/psk_authenticator.c21
-rw-r--r--src/libcharon/sa/authenticators/psk_authenticator.h8
-rw-r--r--src/libcharon/sa/authenticators/pubkey_authenticator.c19
-rw-r--r--src/libcharon/sa/authenticators/pubkey_authenticator.h8
-rw-r--r--src/libcharon/sa/keymat.c8
-rw-r--r--src/libcharon/sa/keymat.h8
-rw-r--r--src/libcharon/sa/tasks/ike_auth.c39
12 files changed, 132 insertions, 40 deletions
diff --git a/src/conftest/hooks/pretend_auth.c b/src/conftest/hooks/pretend_auth.c
index 451c414bd..4b7168cac 100644
--- a/src/conftest/hooks/pretend_auth.c
+++ b/src/conftest/hooks/pretend_auth.c
@@ -40,6 +40,11 @@ struct private_pretend_auth_t {
identification_t *id;
/**
+ * reserved bytes of ID payload
+ */
+ char reserved[3];
+
+ /**
* IKE_SA_INIT data for signature
*/
chunk_t ike_init;
@@ -232,7 +237,7 @@ static bool build_auth(private_pretend_auth_t *this,
}
keymat = ike_sa->get_keymat(ike_sa);
octets = keymat->get_auth_octets(keymat, TRUE, this->ike_init,
- this->nonce, this->id);
+ this->nonce, this->id, this->reserved);
if (!private->sign(private, scheme, octets, &auth_data))
{
chunk_free(&octets);
diff --git a/src/libcharon/sa/authenticators/authenticator.c b/src/libcharon/sa/authenticators/authenticator.c
index cd340e53e..83f5fbaad 100644
--- a/src/libcharon/sa/authenticators/authenticator.c
+++ b/src/libcharon/sa/authenticators/authenticator.c
@@ -39,7 +39,8 @@ ENUM_END(auth_method_names, AUTH_ECDSA_521);
*/
authenticator_t *authenticator_create_builder(ike_sa_t *ike_sa, auth_cfg_t *cfg,
chunk_t received_nonce, chunk_t sent_nonce,
- chunk_t received_init, chunk_t sent_init)
+ chunk_t received_init, chunk_t sent_init,
+ char reserved[3])
{
switch ((uintptr_t)cfg->get(cfg, AUTH_RULE_AUTH_CLASS))
{
@@ -47,13 +48,14 @@ authenticator_t *authenticator_create_builder(ike_sa_t *ike_sa, auth_cfg_t *cfg,
/* defaults to PUBKEY */
case AUTH_CLASS_PUBKEY:
return (authenticator_t*)pubkey_authenticator_create_builder(ike_sa,
- received_nonce, sent_init);
+ received_nonce, sent_init, reserved);
case AUTH_CLASS_PSK:
return (authenticator_t*)psk_authenticator_create_builder(ike_sa,
- received_nonce, sent_init);
+ received_nonce, sent_init, reserved);
case AUTH_CLASS_EAP:
return (authenticator_t*)eap_authenticator_create_builder(ike_sa,
- received_nonce, sent_nonce, received_init, sent_init);
+ received_nonce, sent_nonce,
+ received_init, sent_init, reserved);
default:
return NULL;
}
@@ -65,7 +67,8 @@ authenticator_t *authenticator_create_builder(ike_sa_t *ike_sa, auth_cfg_t *cfg,
authenticator_t *authenticator_create_verifier(
ike_sa_t *ike_sa, message_t *message,
chunk_t received_nonce, chunk_t sent_nonce,
- chunk_t received_init, chunk_t sent_init)
+ chunk_t received_init, chunk_t sent_init,
+ char reserved[3])
{
auth_payload_t *auth_payload;
@@ -73,7 +76,8 @@ authenticator_t *authenticator_create_verifier(
if (auth_payload == NULL)
{
return (authenticator_t*)eap_authenticator_create_verifier(ike_sa,
- received_nonce, sent_nonce, received_init, sent_init);
+ received_nonce, sent_nonce,
+ received_init, sent_init, reserved);
}
switch (auth_payload->get_auth_method(auth_payload))
{
@@ -82,10 +86,10 @@ authenticator_t *authenticator_create_verifier(
case AUTH_ECDSA_384:
case AUTH_ECDSA_521:
return (authenticator_t*)pubkey_authenticator_create_verifier(ike_sa,
- sent_nonce, received_init);
+ sent_nonce, received_init, reserved);
case AUTH_PSK:
return (authenticator_t*)psk_authenticator_create_verifier(ike_sa,
- sent_nonce, received_init);
+ sent_nonce, received_init, reserved);
default:
return NULL;
}
diff --git a/src/libcharon/sa/authenticators/authenticator.h b/src/libcharon/sa/authenticators/authenticator.h
index 89178b5cf..d27e006a3 100644
--- a/src/libcharon/sa/authenticators/authenticator.h
+++ b/src/libcharon/sa/authenticators/authenticator.h
@@ -130,12 +130,14 @@ struct authenticator_t {
* @param sent_nonce nonce sent in IKE_SA_INIT
* @param received_init received IKE_SA_INIT message data
* @param sent_init sent IKE_SA_INIT message data
+ * @param reserved reserved bytes of the ID payload
* @return authenticator, NULL if not supported
*/
authenticator_t *authenticator_create_builder(
ike_sa_t *ike_sa, auth_cfg_t *cfg,
chunk_t received_nonce, chunk_t sent_nonce,
- chunk_t received_init, chunk_t sent_init);
+ chunk_t received_init, chunk_t sent_init,
+ char reserved[3]);
/**
* Create an authenticator to verify signatures.
@@ -146,11 +148,13 @@ authenticator_t *authenticator_create_builder(
* @param sent_nonce nonce sent in IKE_SA_INIT
* @param received_init received IKE_SA_INIT message data
* @param sent_init sent IKE_SA_INIT message data
+ * @param reserved reserved bytes of the ID payload
* @return authenticator, NULL if not supported
*/
authenticator_t *authenticator_create_verifier(
ike_sa_t *ike_sa, message_t *message,
chunk_t received_nonce, chunk_t sent_nonce,
- chunk_t received_init, chunk_t sent_init);
+ chunk_t received_init, chunk_t sent_init,
+ char reserved[3]);
#endif /** AUTHENTICATOR_H_ @}*/
diff --git a/src/libcharon/sa/authenticators/eap_authenticator.c b/src/libcharon/sa/authenticators/eap_authenticator.c
index 8b22fd1d7..dea02755d 100644
--- a/src/libcharon/sa/authenticators/eap_authenticator.c
+++ b/src/libcharon/sa/authenticators/eap_authenticator.c
@@ -58,6 +58,11 @@ struct private_eap_authenticator_t {
chunk_t sent_init;
/**
+ * Reserved bytes of ID payload
+ */
+ char reserved[3];
+
+ /**
* Current EAP method processing
*/
eap_method_t *method;
@@ -422,7 +427,7 @@ static bool verify_auth(private_eap_authenticator_t *this, message_t *message,
other_id = this->ike_sa->get_other_id(this->ike_sa);
keymat = this->ike_sa->get_keymat(this->ike_sa);
auth_data = keymat->get_psk_sig(keymat, TRUE, init, nonce,
- this->msk, other_id);
+ this->msk, other_id, this->reserved);
recv_auth_data = auth_payload->get_data(auth_payload);
if (!auth_data.len || !chunk_equals(auth_data, recv_auth_data))
{
@@ -458,7 +463,8 @@ static void build_auth(private_eap_authenticator_t *this, message_t *message,
DBG1(DBG_IKE, "authentication of '%Y' (myself) with %N",
my_id, auth_class_names, AUTH_CLASS_EAP);
- auth_data = keymat->get_psk_sig(keymat, FALSE, init, nonce, this->msk, my_id);
+ auth_data = keymat->get_psk_sig(keymat, FALSE, init, nonce,
+ this->msk, my_id, this->reserved);
auth_payload = auth_payload_create();
auth_payload->set_auth_method(auth_payload, AUTH_PSK);
auth_payload->set_data(auth_payload, auth_data);
@@ -642,7 +648,8 @@ METHOD(authenticator_t, destroy, void,
*/
eap_authenticator_t *eap_authenticator_create_builder(ike_sa_t *ike_sa,
chunk_t received_nonce, chunk_t sent_nonce,
- chunk_t received_init, chunk_t sent_init)
+ chunk_t received_init, chunk_t sent_init,
+ char reserved[3])
{
private_eap_authenticator_t *this;
@@ -661,6 +668,7 @@ eap_authenticator_t *eap_authenticator_create_builder(ike_sa_t *ike_sa,
.sent_init = sent_init,
.sent_nonce = sent_nonce,
);
+ memcpy(this->reserved, reserved, sizeof(this->reserved));
return &this->public;
}
@@ -670,7 +678,8 @@ eap_authenticator_t *eap_authenticator_create_builder(ike_sa_t *ike_sa,
*/
eap_authenticator_t *eap_authenticator_create_verifier(ike_sa_t *ike_sa,
chunk_t received_nonce, chunk_t sent_nonce,
- chunk_t received_init, chunk_t sent_init)
+ chunk_t received_init, chunk_t sent_init,
+ char reserved[3])
{
private_eap_authenticator_t *this;
@@ -689,6 +698,7 @@ eap_authenticator_t *eap_authenticator_create_verifier(ike_sa_t *ike_sa,
.sent_init = sent_init,
.sent_nonce = sent_nonce,
);
+ memcpy(this->reserved, reserved, sizeof(this->reserved));
return &this->public;
}
diff --git a/src/libcharon/sa/authenticators/eap_authenticator.h b/src/libcharon/sa/authenticators/eap_authenticator.h
index 41eb6a8c9..726411a18 100644
--- a/src/libcharon/sa/authenticators/eap_authenticator.h
+++ b/src/libcharon/sa/authenticators/eap_authenticator.h
@@ -75,11 +75,13 @@ struct eap_authenticator_t {
* @param sent_nonce nonce sent in IKE_SA_INIT
* @param received_init received IKE_SA_INIT message data
* @param sent_init sent IKE_SA_INIT message data
+ * @param reserved reserved bytes of ID payload
* @return EAP authenticator
*/
eap_authenticator_t *eap_authenticator_create_builder(ike_sa_t *ike_sa,
chunk_t received_nonce, chunk_t sent_nonce,
- chunk_t received_init, chunk_t sent_init);
+ chunk_t received_init, chunk_t sent_init,
+ char reserved[3]);
/**
* Create an authenticator to authenticate EAP clients.
@@ -89,10 +91,12 @@ eap_authenticator_t *eap_authenticator_create_builder(ike_sa_t *ike_sa,
* @param sent_nonce nonce sent in IKE_SA_INIT
* @param received_init received IKE_SA_INIT message data
* @param sent_init sent IKE_SA_INIT message data
+ * @param reserved reserved bytes of ID payload
* @return EAP authenticator
*/
eap_authenticator_t *eap_authenticator_create_verifier(ike_sa_t *ike_sa,
chunk_t received_nonce, chunk_t sent_nonce,
- chunk_t received_init, chunk_t sent_init);
+ chunk_t received_init, chunk_t sent_init,
+ char reserved[3]);
#endif /** EAP_AUTHENTICATOR_H_ @}*/
diff --git a/src/libcharon/sa/authenticators/psk_authenticator.c b/src/libcharon/sa/authenticators/psk_authenticator.c
index 54ab533e6..21fc0f9b8 100644
--- a/src/libcharon/sa/authenticators/psk_authenticator.c
+++ b/src/libcharon/sa/authenticators/psk_authenticator.c
@@ -45,6 +45,11 @@ struct private_psk_authenticator_t {
* IKE_SA_INIT message data to include in AUTH calculation
*/
chunk_t ike_sa_init;
+
+ /**
+ * Reserved bytes of ID payload
+ */
+ char reserved[3];
};
METHOD(authenticator_t, build, status_t,
@@ -68,7 +73,7 @@ METHOD(authenticator_t, build, status_t,
return NOT_FOUND;
}
auth_data = keymat->get_psk_sig(keymat, FALSE, this->ike_sa_init,
- this->nonce, key->get_key(key), my_id);
+ this->nonce, key->get_key(key), my_id, this->reserved);
key->destroy(key);
DBG2(DBG_IKE, "successfully created shared key MAC");
auth_payload = auth_payload_create();
@@ -109,7 +114,7 @@ METHOD(authenticator_t, process, status_t,
keys_found++;
auth_data = keymat->get_psk_sig(keymat, TRUE, this->ike_sa_init,
- this->nonce, key->get_key(key), other_id);
+ this->nonce, key->get_key(key), other_id, this->reserved);
if (auth_data.len && chunk_equals(auth_data, recv_auth_data))
{
DBG1(DBG_IKE, "authentication of '%Y' with %N successful",
@@ -147,7 +152,8 @@ METHOD(authenticator_t, destroy, void,
* Described in header.
*/
psk_authenticator_t *psk_authenticator_create_builder(ike_sa_t *ike_sa,
- chunk_t received_nonce, chunk_t sent_init)
+ chunk_t received_nonce, chunk_t sent_init,
+ char reserved[3])
{
private_psk_authenticator_t *this;
@@ -159,11 +165,13 @@ psk_authenticator_t *psk_authenticator_create_builder(ike_sa_t *ike_sa,
.is_mutual = (void*)return_false,
.destroy = _destroy,
},
- }.
+ },
.ike_sa = ike_sa,
.ike_sa_init = sent_init,
.nonce = received_nonce,
);
+ memcpy(this->reserved, reserved, sizeof(this->reserved));
+
return &this->public;
}
@@ -171,7 +179,8 @@ psk_authenticator_t *psk_authenticator_create_builder(ike_sa_t *ike_sa,
* Described in header.
*/
psk_authenticator_t *psk_authenticator_create_verifier(ike_sa_t *ike_sa,
- chunk_t sent_nonce, chunk_t received_init)
+ chunk_t sent_nonce, chunk_t received_init,
+ char reserved[3])
{
private_psk_authenticator_t *this;
@@ -188,6 +197,8 @@ psk_authenticator_t *psk_authenticator_create_verifier(ike_sa_t *ike_sa,
.ike_sa_init = received_init,
.nonce = sent_nonce,
);
+ memcpy(this->reserved, reserved, sizeof(this->reserved));
+
return &this->public;
}
diff --git a/src/libcharon/sa/authenticators/psk_authenticator.h b/src/libcharon/sa/authenticators/psk_authenticator.h
index 0fab11095..8cf1a0f98 100644
--- a/src/libcharon/sa/authenticators/psk_authenticator.h
+++ b/src/libcharon/sa/authenticators/psk_authenticator.h
@@ -42,10 +42,12 @@ struct psk_authenticator_t {
* @param ike_sa associated ike_sa
* @param received_nonce nonce received in IKE_SA_INIT
* @param sent_init sent IKE_SA_INIT message data
+ * @param reserved reserved bytes of ID payload
* @return PSK authenticator
*/
psk_authenticator_t *psk_authenticator_create_builder(ike_sa_t *ike_sa,
- chunk_t received_nonce, chunk_t sent_init);
+ chunk_t received_nonce, chunk_t sent_init,
+ char reserved[3]);
/**
* Create an authenticator to verify PSK signatures.
@@ -53,9 +55,11 @@ psk_authenticator_t *psk_authenticator_create_builder(ike_sa_t *ike_sa,
* @param ike_sa associated ike_sa
* @param sent_nonce nonce sent in IKE_SA_INIT
* @param received_init received IKE_SA_INIT message data
+ * @param reserved reserved bytes of ID payload
* @return PSK authenticator
*/
psk_authenticator_t *psk_authenticator_create_verifier(ike_sa_t *ike_sa,
- chunk_t sent_nonce, chunk_t received_init);
+ chunk_t sent_nonce, chunk_t received_init,
+ char reserved[3]);
#endif /** PSK_AUTHENTICATOR_H_ @}*/
diff --git a/src/libcharon/sa/authenticators/pubkey_authenticator.c b/src/libcharon/sa/authenticators/pubkey_authenticator.c
index 1d01abf50..247891670 100644
--- a/src/libcharon/sa/authenticators/pubkey_authenticator.c
+++ b/src/libcharon/sa/authenticators/pubkey_authenticator.c
@@ -46,6 +46,11 @@ struct private_pubkey_authenticator_t {
* IKE_SA_INIT message data to include in AUTH calculation
*/
chunk_t ike_sa_init;
+
+ /**
+ * Reserved bytes of ID payload
+ */
+ char reserved[3];
};
METHOD(authenticator_t, build, status_t,
@@ -107,7 +112,7 @@ METHOD(authenticator_t, build, status_t,
}
keymat = this->ike_sa->get_keymat(this->ike_sa);
octets = keymat->get_auth_octets(keymat, FALSE, this->ike_sa_init,
- this->nonce, id);
+ this->nonce, id, this->reserved);
if (private->sign(private, scheme, octets, &auth_data))
{
auth_payload = auth_payload_create();
@@ -171,7 +176,7 @@ METHOD(authenticator_t, process, status_t,
id = this->ike_sa->get_other_id(this->ike_sa);
keymat = this->ike_sa->get_keymat(this->ike_sa);
octets = keymat->get_auth_octets(keymat, TRUE, this->ike_sa_init,
- this->nonce, id);
+ this->nonce, id, this->reserved);
auth = this->ike_sa->get_auth_cfg(this->ike_sa, FALSE);
enumerator = lib->credmgr->create_public_enumerator(lib->credmgr,
key_type, id, auth);
@@ -212,7 +217,8 @@ METHOD(authenticator_t, destroy, void,
* Described in header.
*/
pubkey_authenticator_t *pubkey_authenticator_create_builder(ike_sa_t *ike_sa,
- chunk_t received_nonce, chunk_t sent_init)
+ chunk_t received_nonce, chunk_t sent_init,
+ char reserved[3])
{
private_pubkey_authenticator_t *this;
@@ -229,6 +235,8 @@ pubkey_authenticator_t *pubkey_authenticator_create_builder(ike_sa_t *ike_sa,
.ike_sa_init = sent_init,
.nonce = received_nonce,
);
+ memcpy(this->reserved, reserved, sizeof(this->reserved));
+
return &this->public;
}
@@ -236,7 +244,8 @@ pubkey_authenticator_t *pubkey_authenticator_create_builder(ike_sa_t *ike_sa,
* Described in header.
*/
pubkey_authenticator_t *pubkey_authenticator_create_verifier(ike_sa_t *ike_sa,
- chunk_t sent_nonce, chunk_t received_init)
+ chunk_t sent_nonce, chunk_t received_init,
+ char reserved[3])
{
private_pubkey_authenticator_t *this;
@@ -253,5 +262,7 @@ pubkey_authenticator_t *pubkey_authenticator_create_verifier(ike_sa_t *ike_sa,
.ike_sa_init = received_init,
.nonce = sent_nonce,
);
+ memcpy(this->reserved, reserved, sizeof(this->reserved));
+
return &this->public;
}
diff --git a/src/libcharon/sa/authenticators/pubkey_authenticator.h b/src/libcharon/sa/authenticators/pubkey_authenticator.h
index be369cb89..4c3937ecc 100644
--- a/src/libcharon/sa/authenticators/pubkey_authenticator.h
+++ b/src/libcharon/sa/authenticators/pubkey_authenticator.h
@@ -43,10 +43,12 @@ struct pubkey_authenticator_t {
* @param ike_sa associated ike_sa
* @param received_nonce nonce received in IKE_SA_INIT
* @param sent_init sent IKE_SA_INIT message data
+ * @param reserved reserved bytes of ID payload
* @return public key authenticator
*/
pubkey_authenticator_t *pubkey_authenticator_create_builder(ike_sa_t *ike_sa,
- chunk_t received_nonce, chunk_t sent_init);
+ chunk_t received_nonce, chunk_t sent_init,
+ char reserved[3]);
/**
* Create an authenticator to verify public key signatures.
@@ -54,9 +56,11 @@ pubkey_authenticator_t *pubkey_authenticator_create_builder(ike_sa_t *ike_sa,
* @param ike_sa associated ike_sa
* @param sent_nonce nonce sent in IKE_SA_INIT
* @param received_init received IKE_SA_INIT message data
+ * @param reserved reserved bytes of ID payload
* @return public key authenticator
*/
pubkey_authenticator_t *pubkey_authenticator_create_verifier(ike_sa_t *ike_sa,
- chunk_t sent_nonce, chunk_t received_init);
+ chunk_t sent_nonce, chunk_t received_init,
+ char reserved[3]);
#endif /** PUBKEY_AUTHENTICATOR_H_ @}*/
diff --git a/src/libcharon/sa/keymat.c b/src/libcharon/sa/keymat.c
index 878ad124f..f9f24787a 100644
--- a/src/libcharon/sa/keymat.c
+++ b/src/libcharon/sa/keymat.c
@@ -540,7 +540,7 @@ METHOD(keymat_t, get_aead, aead_t*,
METHOD(keymat_t, get_auth_octets, chunk_t,
private_keymat_t *this, bool verify, chunk_t ike_sa_init,
- chunk_t nonce, identification_t *id)
+ chunk_t nonce, identification_t *id, char reserved[3])
{
chunk_t chunk, idx, octets;
chunk_t skp;
@@ -548,8 +548,8 @@ METHOD(keymat_t, get_auth_octets, chunk_t,
skp = verify ? this->skp_verify : this->skp_build;
chunk = chunk_alloca(4);
- memset(chunk.ptr, 0, chunk.len);
chunk.ptr[0] = id->get_type(id);
+ memcpy(chunk.ptr + 1, reserved, 3);
idx = chunk_cata("cc", chunk, id->get_encoding(id));
DBG3(DBG_IKE, "IDx' %B", &idx);
@@ -570,7 +570,7 @@ METHOD(keymat_t, get_auth_octets, chunk_t,
METHOD(keymat_t, get_psk_sig, chunk_t,
private_keymat_t *this, bool verify, chunk_t ike_sa_init,
- chunk_t nonce, chunk_t secret, identification_t *id)
+ chunk_t nonce, chunk_t secret, identification_t *id, char reserved[3])
{
chunk_t key_pad, key, sig, octets;
@@ -578,7 +578,7 @@ METHOD(keymat_t, get_psk_sig, chunk_t,
{ /* EAP uses SK_p if no MSK has been established */
secret = verify ? this->skp_verify : this->skp_build;
}
- octets = get_auth_octets(this, verify, ike_sa_init, nonce, id);
+ octets = get_auth_octets(this, verify, ike_sa_init, nonce, id, reserved);
/* AUTH = prf(prf(Shared Secret,"Key Pad for IKEv2"), <msg octets>) */
key_pad = chunk_create(IKEV2_KEY_PAD, IKEV2_KEY_PAD_LENGTH);
this->prf->set_key(this->prf, secret);
diff --git a/src/libcharon/sa/keymat.h b/src/libcharon/sa/keymat.h
index 4f01aa411..11e0fa79a 100644
--- a/src/libcharon/sa/keymat.h
+++ b/src/libcharon/sa/keymat.h
@@ -117,10 +117,12 @@ struct keymat_t {
* @param ike_sa_init encoded ike_sa_init message
* @param nonce nonce value
* @param id identity
+ * @param reserved reserved bytes of id_payload
* @return authentication octets
*/
chunk_t (*get_auth_octets)(keymat_t *this, bool verify, chunk_t ike_sa_init,
- chunk_t nonce, identification_t *id);
+ chunk_t nonce, identification_t *id,
+ char reserved[3]);
/**
* Build the shared secret signature used for PSK and EAP authentication.
*
@@ -133,10 +135,12 @@ struct keymat_t {
* @param nonce nonce value
* @param secret optional secret to include into signature
* @param id identity
+ * @param reserved reserved bytes of id_payload
* @return signature octets
*/
chunk_t (*get_psk_sig)(keymat_t *this, bool verify, chunk_t ike_sa_init,
- chunk_t nonce, chunk_t secret, identification_t *id);
+ chunk_t nonce, chunk_t secret,
+ identification_t *id, char reserved[3]);
/**
* Destroy a keymat_t.
*/
diff --git a/src/libcharon/sa/tasks/ike_auth.c b/src/libcharon/sa/tasks/ike_auth.c
index b440ec811..48174e2c2 100644
--- a/src/libcharon/sa/tasks/ike_auth.c
+++ b/src/libcharon/sa/tasks/ike_auth.c
@@ -68,6 +68,11 @@ struct private_ike_auth_t {
packet_t *other_packet;
/**
+ * Reserved bytes of ID payload
+ */
+ char reserved[3];
+
+ /**
* currently active authenticator, to authenticate us
*/
authenticator_t *my_auth;
@@ -160,6 +165,24 @@ static status_t collect_other_init_data(private_ike_auth_t *this,
}
/**
+ * Get and store reserved bytes of id_payload, required for AUTH payload
+ */
+static void get_reserved_id_bytes(private_ike_auth_t *this, id_payload_t *id)
+{
+ u_int8_t *byte;
+ int i;
+
+ for (i = 0; i < countof(this->reserved); i++)
+ {
+ byte = payload_get_field(&id->payload_interface, RESERVED_BYTE, i);
+ if (byte)
+ {
+ this->reserved[i] = *byte;
+ }
+ }
+}
+
+/**
* Get the next authentication configuration
*/
static auth_cfg_t *get_auth_cfg(private_ike_auth_t *this, bool local)
@@ -398,13 +421,15 @@ static status_t build_i(private_ike_auth_t *this, message_t *message)
}
this->ike_sa->set_my_id(this->ike_sa, id->clone(id));
id_payload = id_payload_create_from_identification(ID_INITIATOR, id);
+ get_reserved_id_bytes(this, id_payload);
message->add_payload(message, (payload_t*)id_payload);
/* build authentication data */
this->my_auth = authenticator_create_builder(this->ike_sa, cfg,
this->other_nonce, this->my_nonce,
this->other_packet->get_data(this->other_packet),
- this->my_packet->get_data(this->my_packet));
+ this->my_packet->get_data(this->my_packet),
+ this->reserved);
if (!this->my_auth)
{
return FAILED;
@@ -498,6 +523,7 @@ static status_t process_r(private_ike_auth_t *this, message_t *message)
return FAILED;
}
id = id_payload->get_identification(id_payload);
+ get_reserved_id_bytes(this, id_payload);
this->ike_sa->set_other_id(this->ike_sa, id);
cfg = this->ike_sa->get_auth_cfg(this->ike_sa, FALSE);
cfg->add(cfg, AUTH_RULE_IDENTITY, id->clone(id));
@@ -548,7 +574,8 @@ static status_t process_r(private_ike_auth_t *this, message_t *message)
this->other_auth = authenticator_create_verifier(this->ike_sa,
message, this->other_nonce, this->my_nonce,
this->other_packet->get_data(this->other_packet),
- this->my_packet->get_data(this->my_packet));
+ this->my_packet->get_data(this->my_packet),
+ this->reserved);
if (!this->other_auth)
{
this->authentication_failed = TRUE;
@@ -662,6 +689,7 @@ static status_t build_r(private_ike_auth_t *this, message_t *message)
}
id_payload = id_payload_create_from_identification(ID_RESPONDER, id);
+ get_reserved_id_bytes(this, id_payload);
message->add_payload(message, (payload_t*)id_payload);
if ((uintptr_t)cfg->get(cfg, AUTH_RULE_AUTH_CLASS) == AUTH_CLASS_EAP)
@@ -682,7 +710,8 @@ static status_t build_r(private_ike_auth_t *this, message_t *message)
this->my_auth = authenticator_create_builder(this->ike_sa, cfg,
this->other_nonce, this->my_nonce,
this->other_packet->get_data(this->other_packet),
- this->my_packet->get_data(this->my_packet));
+ this->my_packet->get_data(this->my_packet),
+ this->reserved);
if (!this->my_auth)
{
message->add_notify(message, TRUE, AUTHENTICATION_FAILED,
@@ -857,6 +886,7 @@ static status_t process_i(private_ike_auth_t *this, message_t *message)
return FAILED;
}
id = id_payload->get_identification(id_payload);
+ get_reserved_id_bytes(this, id_payload);
this->ike_sa->set_other_id(this->ike_sa, id);
cfg = this->ike_sa->get_auth_cfg(this->ike_sa, FALSE);
cfg->add(cfg, AUTH_RULE_IDENTITY, id->clone(id));
@@ -867,7 +897,8 @@ static status_t process_i(private_ike_auth_t *this, message_t *message)
this->other_auth = authenticator_create_verifier(this->ike_sa,
message, this->other_nonce, this->my_nonce,
this->other_packet->get_data(this->other_packet),
- this->my_packet->get_data(this->my_packet));
+ this->my_packet->get_data(this->my_packet),
+ this->reserved);
if (!this->other_auth)
{
return FAILED;
generated by cgit v1.2.3 (git 2.25.1) at 2025-07-22 21:31:48 +0000