aboutsummaryrefslogtreecommitdiffstats
path: root/src
diff options
context:
space:
mode:
Diffstat (limited to 'src')
-rw-r--r--src/libcharon/sa/authenticators/authenticator.c9
-rw-r--r--src/libcharon/sa/authenticators/authenticator.h11
-rw-r--r--src/libcharon/sa/authenticators/psk_v1_authenticator.c15
-rw-r--r--src/libcharon/sa/authenticators/psk_v1_authenticator.h5
-rw-r--r--src/libcharon/sa/authenticators/pubkey_v1_authenticator.c16
-rw-r--r--src/libcharon/sa/authenticators/pubkey_v1_authenticator.h5
-rwxr-xr-xsrc/libcharon/sa/keymat_v1.c8
-rw-r--r--src/libcharon/sa/keymat_v1.h4
-rwxr-xr-xsrc/libcharon/sa/tasks/main_mode.c14
9 files changed, 60 insertions, 27 deletions
diff --git a/src/libcharon/sa/authenticators/authenticator.c b/src/libcharon/sa/authenticators/authenticator.c
index b052dd87b..f2319a420 100644
--- a/src/libcharon/sa/authenticators/authenticator.c
+++ b/src/libcharon/sa/authenticators/authenticator.c
@@ -110,7 +110,8 @@ authenticator_t *authenticator_create_verifier(
*/
authenticator_t *authenticator_create_v1(ike_sa_t *ike_sa, bool initiator,
auth_method_t auth_method, diffie_hellman_t *dh,
- chunk_t dh_value, chunk_t sa_payload)
+ chunk_t dh_value, chunk_t sa_payload,
+ chunk_t id_payload)
{
switch (auth_method)
{
@@ -118,12 +119,14 @@ authenticator_t *authenticator_create_v1(ike_sa_t *ike_sa, bool initiator,
case AUTH_XAUTH_INIT_PSK:
case AUTH_XAUTH_RESP_PSK:
return (authenticator_t*)psk_v1_authenticator_create(ike_sa,
- initiator, dh, dh_value, sa_payload);
+ initiator, dh, dh_value, sa_payload,
+ id_payload);
case AUTH_RSA:
case AUTH_XAUTH_INIT_RSA:
case AUTH_XAUTH_RESP_RSA:
return (authenticator_t*)pubkey_v1_authenticator_create(ike_sa,
- initiator, dh, dh_value, sa_payload);
+ initiator, dh, dh_value, sa_payload,
+ id_payload);
default:
return NULL;
}
diff --git a/src/libcharon/sa/authenticators/authenticator.h b/src/libcharon/sa/authenticators/authenticator.h
index 5a8d26d1e..3af939160 100644
--- a/src/libcharon/sa/authenticators/authenticator.h
+++ b/src/libcharon/sa/authenticators/authenticator.h
@@ -194,7 +194,11 @@ authenticator_t *authenticator_create_verifier(
char reserved[3]);
/**
- * Create an IKEv1 authenticator to build and verify signatures or hash payloads.
+ * Create an IKEv1 authenticator to build and verify signatures or hash
+ * payloads.
+ *
+ * @note Due to the fixed ID, these authenticators can only be used in one
+ * direction at a time.
*
* @param ike_sa associated IKE_SA
* @param initiator TRUE if we are the IKE_SA initiator
@@ -202,10 +206,13 @@ authenticator_t *authenticator_create_verifier(
* @param dh diffie hellman key exchange
* @param dh_value others public diffie hellman value
* @param sa_payload generated SA payload data, without payload header
+ * @param id_payload encoded ID payload of peer to authenticate or verify
+ * without payload header (gets owned)
* @return authenticator, NULL if not supported
*/
authenticator_t *authenticator_create_v1(ike_sa_t *ike_sa, bool initiator,
auth_method_t auth_method, diffie_hellman_t *dh,
- chunk_t dh_value, chunk_t sa_payload);
+ chunk_t dh_value, chunk_t sa_payload,
+ chunk_t id_payload);
#endif /** AUTHENTICATOR_H_ @}*/
diff --git a/src/libcharon/sa/authenticators/psk_v1_authenticator.c b/src/libcharon/sa/authenticators/psk_v1_authenticator.c
index ecce92268..11fd8118d 100644
--- a/src/libcharon/sa/authenticators/psk_v1_authenticator.c
+++ b/src/libcharon/sa/authenticators/psk_v1_authenticator.c
@@ -55,6 +55,11 @@ struct private_psk_v1_authenticator_t {
* Encoded SA payload, without fixed header
*/
chunk_t sa_payload;
+
+ /**
+ * Encoded ID payload, without fixed header
+ */
+ chunk_t id_payload;
};
METHOD(authenticator_t, build, status_t,
@@ -68,7 +73,7 @@ METHOD(authenticator_t, build, status_t,
keymat = (keymat_v1_t*)this->ike_sa->get_keymat(this->ike_sa);
hash = keymat->get_hash(keymat, this->initiator, dh, this->dh_value,
this->ike_sa->get_id(this->ike_sa), this->sa_payload,
- this->ike_sa->get_my_id(this->ike_sa));
+ this->id_payload);
free(dh.ptr);
hash_payload = hash_payload_create(HASH_V1);
@@ -97,9 +102,8 @@ METHOD(authenticator_t, process, status_t,
keymat = (keymat_v1_t*)this->ike_sa->get_keymat(this->ike_sa);
hash = keymat->get_hash(keymat, !this->initiator, this->dh_value, dh,
this->ike_sa->get_id(this->ike_sa), this->sa_payload,
- this->ike_sa->get_other_id(this->ike_sa));
+ this->id_payload);
free(dh.ptr);
-
if (chunk_equals(hash, hash_payload->get_hash(hash_payload)))
{
free(hash.ptr);
@@ -113,6 +117,7 @@ METHOD(authenticator_t, process, status_t,
METHOD(authenticator_t, destroy, void,
private_psk_v1_authenticator_t *this)
{
+ chunk_free(&this->id_payload);
free(this);
}
@@ -121,7 +126,8 @@ METHOD(authenticator_t, destroy, void,
*/
psk_v1_authenticator_t *psk_v1_authenticator_create(ike_sa_t *ike_sa,
bool initiator, diffie_hellman_t *dh,
- chunk_t dh_value, chunk_t sa_payload)
+ chunk_t dh_value, chunk_t sa_payload,
+ chunk_t id_payload)
{
private_psk_v1_authenticator_t *this;
@@ -139,6 +145,7 @@ psk_v1_authenticator_t *psk_v1_authenticator_create(ike_sa_t *ike_sa,
.dh = dh,
.dh_value = dh_value,
.sa_payload = sa_payload,
+ .id_payload = id_payload,
);
return &this->public;
diff --git a/src/libcharon/sa/authenticators/psk_v1_authenticator.h b/src/libcharon/sa/authenticators/psk_v1_authenticator.h
index 1103ee62f..e01d49c95 100644
--- a/src/libcharon/sa/authenticators/psk_v1_authenticator.h
+++ b/src/libcharon/sa/authenticators/psk_v1_authenticator.h
@@ -44,10 +44,13 @@ struct psk_v1_authenticator_t {
* @param dh diffie hellman key exchange
* @param dh_value others public diffie hellman value
* @param sa_payload generated SA payload data, without payload header
+ * @param id_payload encoded ID payload of peer to authenticate or verify
+ * without payload header (gets owned)
* @return PSK authenticator
*/
psk_v1_authenticator_t *psk_v1_authenticator_create(ike_sa_t *ike_sa,
bool initiator, diffie_hellman_t *dh,
- chunk_t dh_value, chunk_t sa_payload);
+ chunk_t dh_value, chunk_t sa_payload,
+ chunk_t id_payload);
#endif /** PSK_V1_AUTHENTICATOR_H_ @}*/
diff --git a/src/libcharon/sa/authenticators/pubkey_v1_authenticator.c b/src/libcharon/sa/authenticators/pubkey_v1_authenticator.c
index e3e7a8073..a947349c9 100644
--- a/src/libcharon/sa/authenticators/pubkey_v1_authenticator.c
+++ b/src/libcharon/sa/authenticators/pubkey_v1_authenticator.c
@@ -55,6 +55,11 @@ struct private_pubkey_v1_authenticator_t {
* Encoded SA payload, without fixed header
*/
chunk_t sa_payload;
+
+ /**
+ * Encoded ID payload, without fixed header
+ */
+ chunk_t id_payload;
};
METHOD(authenticator_t, build, status_t,
@@ -86,7 +91,8 @@ METHOD(authenticator_t, build, status_t,
this->dh->get_my_public_value(this->dh, &dh);
keymat = (keymat_v1_t*)this->ike_sa->get_keymat(this->ike_sa);
hash = keymat->get_hash(keymat, this->initiator, dh, this->dh_value,
- this->ike_sa->get_id(this->ike_sa), this->sa_payload, id);
+ this->ike_sa->get_id(this->ike_sa), this->sa_payload,
+ this->id_payload);
free(dh.ptr);
if (private->sign(private, scheme, hash, &sig))
@@ -138,7 +144,8 @@ METHOD(authenticator_t, process, status_t,
this->dh->get_my_public_value(this->dh, &dh);
keymat = (keymat_v1_t*)this->ike_sa->get_keymat(this->ike_sa);
hash = keymat->get_hash(keymat, !this->initiator, this->dh_value, dh,
- this->ike_sa->get_id(this->ike_sa), this->sa_payload, id);
+ this->ike_sa->get_id(this->ike_sa), this->sa_payload,
+ this->id_payload);
free(dh.ptr);
sig = sig_payload->get_hash(sig_payload);
@@ -175,6 +182,7 @@ METHOD(authenticator_t, process, status_t,
METHOD(authenticator_t, destroy, void,
private_pubkey_v1_authenticator_t *this)
{
+ chunk_free(&this->id_payload);
free(this);
}
@@ -183,7 +191,8 @@ METHOD(authenticator_t, destroy, void,
*/
pubkey_v1_authenticator_t *pubkey_v1_authenticator_create(ike_sa_t *ike_sa,
bool initiator, diffie_hellman_t *dh,
- chunk_t dh_value, chunk_t sa_payload)
+ chunk_t dh_value, chunk_t sa_payload,
+ chunk_t id_payload)
{
private_pubkey_v1_authenticator_t *this;
@@ -201,6 +210,7 @@ pubkey_v1_authenticator_t *pubkey_v1_authenticator_create(ike_sa_t *ike_sa,
.dh = dh,
.dh_value = dh_value,
.sa_payload = sa_payload,
+ .id_payload = id_payload,
);
return &this->public;
diff --git a/src/libcharon/sa/authenticators/pubkey_v1_authenticator.h b/src/libcharon/sa/authenticators/pubkey_v1_authenticator.h
index ed6d77cc0..48968d6a1 100644
--- a/src/libcharon/sa/authenticators/pubkey_v1_authenticator.h
+++ b/src/libcharon/sa/authenticators/pubkey_v1_authenticator.h
@@ -43,10 +43,13 @@ struct pubkey_v1_authenticator_t {
* @param dh diffie hellman key exchange
* @param dh_value others public diffie hellman value
* @param sa_payload generated SA payload data, without payload header
+ * @param id_payload encoded ID payload of peer to authenticate or verify
+ * without payload header (gets owned)
* @return pubkey authenticator
*/
pubkey_v1_authenticator_t *pubkey_v1_authenticator_create(ike_sa_t *ike_sa,
bool initiator, diffie_hellman_t *dh,
- chunk_t dh_value, chunk_t sa_payload);
+ chunk_t dh_value, chunk_t sa_payload,
+ chunk_t id_payload);
#endif /** PUBKEY_V1_AUTHENTICATOR_H_ @}*/
diff --git a/src/libcharon/sa/keymat_v1.c b/src/libcharon/sa/keymat_v1.c
index 8cf10cdf8..8d384143c 100755
--- a/src/libcharon/sa/keymat_v1.c
+++ b/src/libcharon/sa/keymat_v1.c
@@ -638,12 +638,10 @@ METHOD(keymat_v1_t, get_hasher, hasher_t*,
METHOD(keymat_v1_t, get_hash, chunk_t,
private_keymat_v1_t *this, bool initiator, chunk_t dh, chunk_t dh_other,
- ike_sa_id_t *ike_sa_id, chunk_t sa_i, identification_t *id)
+ ike_sa_id_t *ike_sa_id, chunk_t sa_i, chunk_t id)
{
chunk_t hash, data;
u_int64_t spi, spi_other;
- /* TODO-IKEv1: get real bytes from ID header? */
- u_int8_t id_header[4] = { id->get_type(id), 0, 0, 0 };
/* HASH_I = prf(SKEYID, g^xi | g^xr | CKY-I | CKY-R | SAi_b | IDii_b )
* HASH_R = prf(SKEYID, g^xr | g^xi | CKY-R | CKY-I | SAi_b | IDir_b )
@@ -658,9 +656,9 @@ METHOD(keymat_v1_t, get_hash, chunk_t,
spi_other = ike_sa_id->get_initiator_spi(ike_sa_id);
spi = ike_sa_id->get_responder_spi(ike_sa_id);
}
- data = chunk_cat("ccccccc", dh, dh_other,
+ data = chunk_cat("cccccc", dh, dh_other,
chunk_from_thing(spi), chunk_from_thing(spi_other),
- sa_i, chunk_from_thing(id_header), id->get_encoding(id));
+ sa_i, id);
DBG3(DBG_IKE, "HASH_%c data %B", initiator ? 'I' : 'R', &data);
diff --git a/src/libcharon/sa/keymat_v1.h b/src/libcharon/sa/keymat_v1.h
index 89314afb0..875ad9d30 100644
--- a/src/libcharon/sa/keymat_v1.h
+++ b/src/libcharon/sa/keymat_v1.h
@@ -99,12 +99,12 @@ struct keymat_v1_t {
* @param dh_other others public DH value
* @param ike_sa_id IKE_SA identifier
* @param sa_i encoded SA payload of initiator
- * @param id ID of peer to create hash for
+ * @param id encoded IDii payload for HASH_I (IDir for HASH_R)
* @return allocated HASH data
*/
chunk_t (*get_hash)(keymat_v1_t *this, bool initiator,
chunk_t dh, chunk_t dh_other, ike_sa_id_t *ike_sa_id,
- chunk_t sa_i, identification_t *id);
+ chunk_t sa_i, chunk_t id);
/**
* Get HASH data for integrity/authentication in Phase 2 exchanges.
diff --git a/src/libcharon/sa/tasks/main_mode.c b/src/libcharon/sa/tasks/main_mode.c
index dffd5e45b..0e936209f 100755
--- a/src/libcharon/sa/tasks/main_mode.c
+++ b/src/libcharon/sa/tasks/main_mode.c
@@ -145,12 +145,14 @@ static auth_cfg_t *get_auth_cfg(peer_cfg_t *peer_cfg, bool local)
/**
* Create an authenticator, if supported
*/
-static authenticator_t *create_authenticator(private_main_mode_t *this)
+static authenticator_t *create_authenticator(private_main_mode_t *this,
+ id_payload_t *id)
{
authenticator_t *authenticator;
authenticator = authenticator_create_v1(this->ike_sa, this->initiator,
this->auth_method, this->dh,
- this->dh_value, this->sa_payload);
+ this->dh_value, this->sa_payload,
+ id->get_encoded(id));
if (!authenticator)
{
DBG1(DBG_IKE, "negotiated authentication method %N not supported",
@@ -545,7 +547,7 @@ METHOD(task_t, build_i, status_t,
id_payload = id_payload_create_from_identification(ID_V1, id);
message->add_payload(message, &id_payload->payload_interface);
- authenticator = create_authenticator(this);
+ authenticator = create_authenticator(this, id_payload);
if (!authenticator || authenticator->build(authenticator,
message) != SUCCESS)
{
@@ -663,7 +665,7 @@ METHOD(task_t, process_r, status_t,
return send_notify(this, AUTHENTICATION_FAILED, chunk_empty);
}
- authenticator = create_authenticator(this);
+ authenticator = create_authenticator(this, id_payload);
if (!authenticator || authenticator->process(authenticator,
message) != SUCCESS)
{
@@ -862,7 +864,7 @@ METHOD(task_t, build_r, status_t,
id_payload = id_payload_create_from_identification(ID_V1, id);
message->add_payload(message, &id_payload->payload_interface);
- authenticator = create_authenticator(this);
+ authenticator = create_authenticator(this, id_payload);
if (!authenticator || authenticator->build(authenticator,
message) != SUCCESS)
{
@@ -977,7 +979,7 @@ METHOD(task_t, process_i, status_t,
}
this->ike_sa->set_other_id(this->ike_sa, id);
- authenticator = create_authenticator(this);
+ authenticator = create_authenticator(this, id_payload);
if (!authenticator || authenticator->process(authenticator,
message) != SUCCESS)
{
generated by cgit v1.2.3 (git 2.25.1) at 2025-09-20 12:07:54 +0000