summaryrefslogtreecommitdiff
path: root/src/libcharon/sa/ikev2
diff options
context:
space:
mode:
authorRomain Francoise <rfrancoise@debian.org>2014-04-15 19:34:32 +0200
committerRomain Francoise <rfrancoise@debian.org>2014-04-15 19:34:32 +0200
commitc5ebfc7b9c16551fe825dc1d79c3f7e2f096f6c9 (patch)
treed4e2118cbd411caa1a0528eac831030109bc6e65 /src/libcharon/sa/ikev2
parent15fb7904f4431a6e7c305fd08732458f7f885e7e (diff)
downloadvyos-strongswan-c5ebfc7b9c16551fe825dc1d79c3f7e2f096f6c9.tar.gz
vyos-strongswan-c5ebfc7b9c16551fe825dc1d79c3f7e2f096f6c9.zip
Import upstream version 5.1.3
Diffstat (limited to 'src/libcharon/sa/ikev2')
-rw-r--r--src/libcharon/sa/ikev2/keymat_v2.c29
-rw-r--r--src/libcharon/sa/ikev2/task_manager_v2.c9
-rw-r--r--src/libcharon/sa/ikev2/tasks/child_delete.c12
-rw-r--r--src/libcharon/sa/ikev2/tasks/ike_cert_post.c139
-rw-r--r--src/libcharon/sa/ikev2/tasks/ike_cert_pre.c28
5 files changed, 177 insertions, 40 deletions
diff --git a/src/libcharon/sa/ikev2/keymat_v2.c b/src/libcharon/sa/ikev2/keymat_v2.c
index 8c7ba8d55..88ad14faf 100644
--- a/src/libcharon/sa/ikev2/keymat_v2.c
+++ b/src/libcharon/sa/ikev2/keymat_v2.c
@@ -97,10 +97,35 @@ static bool derive_ike_aead(private_keymat_v2_t *this, u_int16_t alg,
{
aead_t *aead_i, *aead_r;
chunk_t key = chunk_empty;
+ u_int salt_size;
+
+ switch (alg)
+ {
+ case ENCR_AES_GCM_ICV8:
+ case ENCR_AES_GCM_ICV12:
+ case ENCR_AES_GCM_ICV16:
+ /* RFC 4106 */
+ salt_size = 4;
+ break;
+ case ENCR_AES_CCM_ICV8:
+ case ENCR_AES_CCM_ICV12:
+ case ENCR_AES_CCM_ICV16:
+ /* RFC 4309 */
+ case ENCR_CAMELLIA_CCM_ICV8:
+ case ENCR_CAMELLIA_CCM_ICV12:
+ case ENCR_CAMELLIA_CCM_ICV16:
+ /* RFC 5529 */
+ salt_size = 3;
+ break;
+ default:
+ DBG1(DBG_IKE, "nonce size for %N unknown!",
+ encryption_algorithm_names, alg);
+ return FALSE;
+ }
/* SK_ei/SK_er used for encryption */
- aead_i = lib->crypto->create_aead(lib->crypto, alg, key_size / 8);
- aead_r = lib->crypto->create_aead(lib->crypto, alg, key_size / 8);
+ aead_i = lib->crypto->create_aead(lib->crypto, alg, key_size / 8, salt_size);
+ aead_r = lib->crypto->create_aead(lib->crypto, alg, key_size / 8, salt_size);
if (aead_i == NULL || aead_r == NULL)
{
DBG1(DBG_IKE, "%N %N (key size %d) not supported!",
diff --git a/src/libcharon/sa/ikev2/task_manager_v2.c b/src/libcharon/sa/ikev2/task_manager_v2.c
index ac3be900f..a5252ab70 100644
--- a/src/libcharon/sa/ikev2/task_manager_v2.c
+++ b/src/libcharon/sa/ikev2/task_manager_v2.c
@@ -778,6 +778,15 @@ static status_t process_request(private_task_manager_t *this,
case CREATE_CHILD_SA:
{ /* FIXME: we should prevent this on mediation connections */
bool notify_found = FALSE, ts_found = FALSE;
+
+ if (this->ike_sa->get_state(this->ike_sa) == IKE_CREATED ||
+ this->ike_sa->get_state(this->ike_sa) == IKE_CONNECTING)
+ {
+ DBG1(DBG_IKE, "received CREATE_CHILD_SA request for "
+ "unestablished IKE_SA, rejected");
+ return FAILED;
+ }
+
enumerator = message->create_payload_enumerator(message);
while (enumerator->enumerate(enumerator, &payload))
{
diff --git a/src/libcharon/sa/ikev2/tasks/child_delete.c b/src/libcharon/sa/ikev2/tasks/child_delete.c
index e898efc88..88b032c8b 100644
--- a/src/libcharon/sa/ikev2/tasks/child_delete.c
+++ b/src/libcharon/sa/ikev2/tasks/child_delete.c
@@ -17,6 +17,7 @@
#include <daemon.h>
#include <encoding/payloads/delete_payload.h>
+#include <sa/ikev2/tasks/child_create.h>
typedef struct private_child_delete_t private_child_delete_t;
@@ -313,6 +314,17 @@ METHOD(task_t, build_i, status_t,
}
log_children(this);
build_payloads(this, message);
+
+ if (!this->rekeyed && this->expired)
+ {
+ child_cfg_t *child_cfg;
+
+ DBG1(DBG_IKE, "scheduling CHILD_SA recreate after hard expire");
+ child_cfg = child_sa->get_config(child_sa);
+ this->ike_sa->queue_task(this->ike_sa, (task_t*)
+ child_create_create(this->ike_sa, child_cfg->get_ref(child_cfg),
+ FALSE, NULL, NULL));
+ }
return NEED_MORE;
}
diff --git a/src/libcharon/sa/ikev2/tasks/ike_cert_post.c b/src/libcharon/sa/ikev2/tasks/ike_cert_post.c
index a93e5137e..6dbc4dec3 100644
--- a/src/libcharon/sa/ikev2/tasks/ike_cert_post.c
+++ b/src/libcharon/sa/ikev2/tasks/ike_cert_post.c
@@ -22,6 +22,7 @@
#include <encoding/payloads/certreq_payload.h>
#include <encoding/payloads/auth_payload.h>
#include <credentials/certificates/x509.h>
+#include <credentials/certificates/ac.h>
typedef struct private_ike_cert_post_t private_ike_cert_post_t;
@@ -105,12 +106,109 @@ static cert_payload_t *build_cert_payload(private_ike_cert_post_t *this,
}
/**
+ * Add subject certificate to message
+ */
+static bool add_subject_cert(private_ike_cert_post_t *this, auth_cfg_t *auth,
+ message_t *message)
+{
+ cert_payload_t *payload;
+ certificate_t *cert;
+
+ cert = auth->get(auth, AUTH_RULE_SUBJECT_CERT);
+ if (!cert)
+ {
+ return FALSE;
+ }
+ payload = build_cert_payload(this, cert);
+ if (!payload)
+ {
+ return FALSE;
+ }
+ DBG1(DBG_IKE, "sending end entity cert \"%Y\"", cert->get_subject(cert));
+ message->add_payload(message, (payload_t*)payload);
+ return TRUE;
+}
+
+/**
+ * Add intermediate CA certificates to message
+ */
+static void add_im_certs(private_ike_cert_post_t *this, auth_cfg_t *auth,
+ message_t *message)
+{
+ cert_payload_t *payload;
+ enumerator_t *enumerator;
+ certificate_t *cert;
+ auth_rule_t type;
+
+ enumerator = auth->create_enumerator(auth);
+ while (enumerator->enumerate(enumerator, &type, &cert))
+ {
+ if (type == AUTH_RULE_IM_CERT)
+ {
+ payload = cert_payload_create_from_cert(CERTIFICATE, cert);
+ if (payload)
+ {
+ DBG1(DBG_IKE, "sending issuer cert \"%Y\"",
+ cert->get_subject(cert));
+ message->add_payload(message, (payload_t*)payload);
+ }
+ }
+ }
+ enumerator->destroy(enumerator);
+}
+
+/**
+ * Add any valid attribute certificates of subject to message
+ */
+static void add_attribute_certs(private_ike_cert_post_t *this,
+ auth_cfg_t *auth, message_t *message)
+{
+ certificate_t *subject, *cert;
+
+ subject = auth->get(auth, AUTH_RULE_SUBJECT_CERT);
+ if (subject && subject->get_type(subject) == CERT_X509)
+ {
+ x509_t *x509 = (x509_t*)subject;
+ identification_t *id, *serial;
+ enumerator_t *enumerator;
+ cert_payload_t *payload;
+ ac_t *ac;
+
+ /* we look for attribute certs having our serial and holder issuer,
+ * which is recommended by RFC 5755 */
+ serial = identification_create_from_encoding(ID_KEY_ID,
+ x509->get_serial(x509));
+ enumerator = lib->credmgr->create_cert_enumerator(lib->credmgr,
+ CERT_X509_AC, KEY_ANY, serial, FALSE);
+ while (enumerator->enumerate(enumerator, &ac))
+ {
+ cert = &ac->certificate;
+ id = ac->get_holderIssuer(ac);
+ if (id && id->equals(id, subject->get_issuer(subject)) &&
+ cert->get_validity(cert, NULL, NULL, NULL))
+ {
+ payload = cert_payload_create_from_cert(CERTIFICATE, cert);
+ if (payload)
+ {
+ DBG1(DBG_IKE, "sending attribute certificate "
+ "issued by \"%Y\"", cert->get_issuer(cert));
+ message->add_payload(message, (payload_t*)payload);
+ }
+ }
+ }
+ enumerator->destroy(enumerator);
+ serial->destroy(serial);
+ }
+}
+
+/**
* add certificates to message
*/
static void build_certs(private_ike_cert_post_t *this, message_t *message)
{
peer_cfg_t *peer_cfg;
auth_payload_t *payload;
+ auth_cfg_t *auth;
payload = (auth_payload_t*)message->get_payload(message, AUTHENTICATION);
peer_cfg = this->ike_sa->get_peer_cfg(this->ike_sa);
@@ -130,46 +228,13 @@ static void build_certs(private_ike_cert_post_t *this, message_t *message)
}
/* FALL */
case CERT_ALWAYS_SEND:
- {
- cert_payload_t *payload;
- enumerator_t *enumerator;
- certificate_t *cert;
- auth_rule_t type;
- auth_cfg_t *auth;
-
auth = this->ike_sa->get_auth_cfg(this->ike_sa, TRUE);
-
- /* get subject cert first, then issuing certificates */
- cert = auth->get(auth, AUTH_RULE_SUBJECT_CERT);
- if (!cert)
+ if (add_subject_cert(this, auth, message))
{
- break;
+ add_im_certs(this, auth, message);
+ add_attribute_certs(this, auth, message);
}
- payload = build_cert_payload(this, cert);
- if (!payload)
- {
- break;
- }
- DBG1(DBG_IKE, "sending end entity cert \"%Y\"",
- cert->get_subject(cert));
- message->add_payload(message, (payload_t*)payload);
-
- enumerator = auth->create_enumerator(auth);
- while (enumerator->enumerate(enumerator, &type, &cert))
- {
- if (type == AUTH_RULE_IM_CERT)
- {
- payload = cert_payload_create_from_cert(CERTIFICATE, cert);
- if (payload)
- {
- DBG1(DBG_IKE, "sending issuer cert \"%Y\"",
- cert->get_subject(cert));
- message->add_payload(message, (payload_t*)payload);
- }
- }
- }
- enumerator->destroy(enumerator);
- }
+ break;
}
}
diff --git a/src/libcharon/sa/ikev2/tasks/ike_cert_pre.c b/src/libcharon/sa/ikev2/tasks/ike_cert_pre.c
index bd28b29d7..558b1e914 100644
--- a/src/libcharon/sa/ikev2/tasks/ike_cert_pre.c
+++ b/src/libcharon/sa/ikev2/tasks/ike_cert_pre.c
@@ -260,6 +260,30 @@ static void process_crl(cert_payload_t *payload, auth_cfg_t *auth)
}
/**
+ * Process an attribute certificate payload
+ */
+static void process_ac(cert_payload_t *payload, auth_cfg_t *auth)
+{
+ certificate_t *cert;
+
+ cert = payload->get_cert(payload);
+ if (cert)
+ {
+ if (cert->get_issuer(cert))
+ {
+ DBG1(DBG_IKE, "received attribute certificate issued by \"%Y\"",
+ cert->get_issuer(cert));
+ }
+ else if (cert->get_subject(cert))
+ {
+ DBG1(DBG_IKE, "received attribute certificate for \"%Y\"",
+ cert->get_subject(cert));
+ }
+ auth->add(auth, AUTH_HELPER_AC_CERT, cert);
+ }
+}
+
+/**
* Process certificate payloads
*/
static void process_certs(private_ike_cert_pre_t *this, message_t *message)
@@ -298,13 +322,15 @@ static void process_certs(private_ike_cert_pre_t *this, message_t *message)
case ENC_CRL:
process_crl(cert_payload, auth);
break;
+ case ENC_X509_ATTRIBUTE:
+ process_ac(cert_payload, auth);
+ break;
case ENC_PKCS7_WRAPPED_X509:
case ENC_PGP:
case ENC_DNS_SIGNED_KEY:
case ENC_KERBEROS_TOKEN:
case ENC_ARL:
case ENC_SPKI:
- case ENC_X509_ATTRIBUTE:
case ENC_RAW_RSA_KEY:
case ENC_X509_HASH_AND_URL_BUNDLE:
case ENC_OCSP_CONTENT: