diff options
author | Romain Francoise <rfrancoise@debian.org> | 2014-04-15 19:34:32 +0200 |
---|---|---|
committer | Romain Francoise <rfrancoise@debian.org> | 2014-04-15 19:34:32 +0200 |
commit | c5ebfc7b9c16551fe825dc1d79c3f7e2f096f6c9 (patch) | |
tree | d4e2118cbd411caa1a0528eac831030109bc6e65 /src/libcharon/sa/ikev2 | |
parent | 15fb7904f4431a6e7c305fd08732458f7f885e7e (diff) | |
download | vyos-strongswan-c5ebfc7b9c16551fe825dc1d79c3f7e2f096f6c9.tar.gz vyos-strongswan-c5ebfc7b9c16551fe825dc1d79c3f7e2f096f6c9.zip |
Import upstream version 5.1.3
Diffstat (limited to 'src/libcharon/sa/ikev2')
-rw-r--r-- | src/libcharon/sa/ikev2/keymat_v2.c | 29 | ||||
-rw-r--r-- | src/libcharon/sa/ikev2/task_manager_v2.c | 9 | ||||
-rw-r--r-- | src/libcharon/sa/ikev2/tasks/child_delete.c | 12 | ||||
-rw-r--r-- | src/libcharon/sa/ikev2/tasks/ike_cert_post.c | 139 | ||||
-rw-r--r-- | src/libcharon/sa/ikev2/tasks/ike_cert_pre.c | 28 |
5 files changed, 177 insertions, 40 deletions
diff --git a/src/libcharon/sa/ikev2/keymat_v2.c b/src/libcharon/sa/ikev2/keymat_v2.c index 8c7ba8d55..88ad14faf 100644 --- a/src/libcharon/sa/ikev2/keymat_v2.c +++ b/src/libcharon/sa/ikev2/keymat_v2.c @@ -97,10 +97,35 @@ static bool derive_ike_aead(private_keymat_v2_t *this, u_int16_t alg, { aead_t *aead_i, *aead_r; chunk_t key = chunk_empty; + u_int salt_size; + + switch (alg) + { + case ENCR_AES_GCM_ICV8: + case ENCR_AES_GCM_ICV12: + case ENCR_AES_GCM_ICV16: + /* RFC 4106 */ + salt_size = 4; + break; + case ENCR_AES_CCM_ICV8: + case ENCR_AES_CCM_ICV12: + case ENCR_AES_CCM_ICV16: + /* RFC 4309 */ + case ENCR_CAMELLIA_CCM_ICV8: + case ENCR_CAMELLIA_CCM_ICV12: + case ENCR_CAMELLIA_CCM_ICV16: + /* RFC 5529 */ + salt_size = 3; + break; + default: + DBG1(DBG_IKE, "nonce size for %N unknown!", + encryption_algorithm_names, alg); + return FALSE; + } /* SK_ei/SK_er used for encryption */ - aead_i = lib->crypto->create_aead(lib->crypto, alg, key_size / 8); - aead_r = lib->crypto->create_aead(lib->crypto, alg, key_size / 8); + aead_i = lib->crypto->create_aead(lib->crypto, alg, key_size / 8, salt_size); + aead_r = lib->crypto->create_aead(lib->crypto, alg, key_size / 8, salt_size); if (aead_i == NULL || aead_r == NULL) { DBG1(DBG_IKE, "%N %N (key size %d) not supported!", diff --git a/src/libcharon/sa/ikev2/task_manager_v2.c b/src/libcharon/sa/ikev2/task_manager_v2.c index ac3be900f..a5252ab70 100644 --- a/src/libcharon/sa/ikev2/task_manager_v2.c +++ b/src/libcharon/sa/ikev2/task_manager_v2.c @@ -778,6 +778,15 @@ static status_t process_request(private_task_manager_t *this, case CREATE_CHILD_SA: { /* FIXME: we should prevent this on mediation connections */ bool notify_found = FALSE, ts_found = FALSE; + + if (this->ike_sa->get_state(this->ike_sa) == IKE_CREATED || + this->ike_sa->get_state(this->ike_sa) == IKE_CONNECTING) + { + DBG1(DBG_IKE, "received CREATE_CHILD_SA request for " + "unestablished IKE_SA, rejected"); + return FAILED; + } + enumerator = message->create_payload_enumerator(message); while (enumerator->enumerate(enumerator, &payload)) { diff --git a/src/libcharon/sa/ikev2/tasks/child_delete.c b/src/libcharon/sa/ikev2/tasks/child_delete.c index e898efc88..88b032c8b 100644 --- a/src/libcharon/sa/ikev2/tasks/child_delete.c +++ b/src/libcharon/sa/ikev2/tasks/child_delete.c @@ -17,6 +17,7 @@ #include <daemon.h> #include <encoding/payloads/delete_payload.h> +#include <sa/ikev2/tasks/child_create.h> typedef struct private_child_delete_t private_child_delete_t; @@ -313,6 +314,17 @@ METHOD(task_t, build_i, status_t, } log_children(this); build_payloads(this, message); + + if (!this->rekeyed && this->expired) + { + child_cfg_t *child_cfg; + + DBG1(DBG_IKE, "scheduling CHILD_SA recreate after hard expire"); + child_cfg = child_sa->get_config(child_sa); + this->ike_sa->queue_task(this->ike_sa, (task_t*) + child_create_create(this->ike_sa, child_cfg->get_ref(child_cfg), + FALSE, NULL, NULL)); + } return NEED_MORE; } diff --git a/src/libcharon/sa/ikev2/tasks/ike_cert_post.c b/src/libcharon/sa/ikev2/tasks/ike_cert_post.c index a93e5137e..6dbc4dec3 100644 --- a/src/libcharon/sa/ikev2/tasks/ike_cert_post.c +++ b/src/libcharon/sa/ikev2/tasks/ike_cert_post.c @@ -22,6 +22,7 @@ #include <encoding/payloads/certreq_payload.h> #include <encoding/payloads/auth_payload.h> #include <credentials/certificates/x509.h> +#include <credentials/certificates/ac.h> typedef struct private_ike_cert_post_t private_ike_cert_post_t; @@ -105,12 +106,109 @@ static cert_payload_t *build_cert_payload(private_ike_cert_post_t *this, } /** + * Add subject certificate to message + */ +static bool add_subject_cert(private_ike_cert_post_t *this, auth_cfg_t *auth, + message_t *message) +{ + cert_payload_t *payload; + certificate_t *cert; + + cert = auth->get(auth, AUTH_RULE_SUBJECT_CERT); + if (!cert) + { + return FALSE; + } + payload = build_cert_payload(this, cert); + if (!payload) + { + return FALSE; + } + DBG1(DBG_IKE, "sending end entity cert \"%Y\"", cert->get_subject(cert)); + message->add_payload(message, (payload_t*)payload); + return TRUE; +} + +/** + * Add intermediate CA certificates to message + */ +static void add_im_certs(private_ike_cert_post_t *this, auth_cfg_t *auth, + message_t *message) +{ + cert_payload_t *payload; + enumerator_t *enumerator; + certificate_t *cert; + auth_rule_t type; + + enumerator = auth->create_enumerator(auth); + while (enumerator->enumerate(enumerator, &type, &cert)) + { + if (type == AUTH_RULE_IM_CERT) + { + payload = cert_payload_create_from_cert(CERTIFICATE, cert); + if (payload) + { + DBG1(DBG_IKE, "sending issuer cert \"%Y\"", + cert->get_subject(cert)); + message->add_payload(message, (payload_t*)payload); + } + } + } + enumerator->destroy(enumerator); +} + +/** + * Add any valid attribute certificates of subject to message + */ +static void add_attribute_certs(private_ike_cert_post_t *this, + auth_cfg_t *auth, message_t *message) +{ + certificate_t *subject, *cert; + + subject = auth->get(auth, AUTH_RULE_SUBJECT_CERT); + if (subject && subject->get_type(subject) == CERT_X509) + { + x509_t *x509 = (x509_t*)subject; + identification_t *id, *serial; + enumerator_t *enumerator; + cert_payload_t *payload; + ac_t *ac; + + /* we look for attribute certs having our serial and holder issuer, + * which is recommended by RFC 5755 */ + serial = identification_create_from_encoding(ID_KEY_ID, + x509->get_serial(x509)); + enumerator = lib->credmgr->create_cert_enumerator(lib->credmgr, + CERT_X509_AC, KEY_ANY, serial, FALSE); + while (enumerator->enumerate(enumerator, &ac)) + { + cert = &ac->certificate; + id = ac->get_holderIssuer(ac); + if (id && id->equals(id, subject->get_issuer(subject)) && + cert->get_validity(cert, NULL, NULL, NULL)) + { + payload = cert_payload_create_from_cert(CERTIFICATE, cert); + if (payload) + { + DBG1(DBG_IKE, "sending attribute certificate " + "issued by \"%Y\"", cert->get_issuer(cert)); + message->add_payload(message, (payload_t*)payload); + } + } + } + enumerator->destroy(enumerator); + serial->destroy(serial); + } +} + +/** * add certificates to message */ static void build_certs(private_ike_cert_post_t *this, message_t *message) { peer_cfg_t *peer_cfg; auth_payload_t *payload; + auth_cfg_t *auth; payload = (auth_payload_t*)message->get_payload(message, AUTHENTICATION); peer_cfg = this->ike_sa->get_peer_cfg(this->ike_sa); @@ -130,46 +228,13 @@ static void build_certs(private_ike_cert_post_t *this, message_t *message) } /* FALL */ case CERT_ALWAYS_SEND: - { - cert_payload_t *payload; - enumerator_t *enumerator; - certificate_t *cert; - auth_rule_t type; - auth_cfg_t *auth; - auth = this->ike_sa->get_auth_cfg(this->ike_sa, TRUE); - - /* get subject cert first, then issuing certificates */ - cert = auth->get(auth, AUTH_RULE_SUBJECT_CERT); - if (!cert) + if (add_subject_cert(this, auth, message)) { - break; + add_im_certs(this, auth, message); + add_attribute_certs(this, auth, message); } - payload = build_cert_payload(this, cert); - if (!payload) - { - break; - } - DBG1(DBG_IKE, "sending end entity cert \"%Y\"", - cert->get_subject(cert)); - message->add_payload(message, (payload_t*)payload); - - enumerator = auth->create_enumerator(auth); - while (enumerator->enumerate(enumerator, &type, &cert)) - { - if (type == AUTH_RULE_IM_CERT) - { - payload = cert_payload_create_from_cert(CERTIFICATE, cert); - if (payload) - { - DBG1(DBG_IKE, "sending issuer cert \"%Y\"", - cert->get_subject(cert)); - message->add_payload(message, (payload_t*)payload); - } - } - } - enumerator->destroy(enumerator); - } + break; } } diff --git a/src/libcharon/sa/ikev2/tasks/ike_cert_pre.c b/src/libcharon/sa/ikev2/tasks/ike_cert_pre.c index bd28b29d7..558b1e914 100644 --- a/src/libcharon/sa/ikev2/tasks/ike_cert_pre.c +++ b/src/libcharon/sa/ikev2/tasks/ike_cert_pre.c @@ -260,6 +260,30 @@ static void process_crl(cert_payload_t *payload, auth_cfg_t *auth) } /** + * Process an attribute certificate payload + */ +static void process_ac(cert_payload_t *payload, auth_cfg_t *auth) +{ + certificate_t *cert; + + cert = payload->get_cert(payload); + if (cert) + { + if (cert->get_issuer(cert)) + { + DBG1(DBG_IKE, "received attribute certificate issued by \"%Y\"", + cert->get_issuer(cert)); + } + else if (cert->get_subject(cert)) + { + DBG1(DBG_IKE, "received attribute certificate for \"%Y\"", + cert->get_subject(cert)); + } + auth->add(auth, AUTH_HELPER_AC_CERT, cert); + } +} + +/** * Process certificate payloads */ static void process_certs(private_ike_cert_pre_t *this, message_t *message) @@ -298,13 +322,15 @@ static void process_certs(private_ike_cert_pre_t *this, message_t *message) case ENC_CRL: process_crl(cert_payload, auth); break; + case ENC_X509_ATTRIBUTE: + process_ac(cert_payload, auth); + break; case ENC_PKCS7_WRAPPED_X509: case ENC_PGP: case ENC_DNS_SIGNED_KEY: case ENC_KERBEROS_TOKEN: case ENC_ARL: case ENC_SPKI: - case ENC_X509_ATTRIBUTE: case ENC_RAW_RSA_KEY: case ENC_X509_HASH_AND_URL_BUNDLE: case ENC_OCSP_CONTENT: |