sharpetronics/strongswan
1
0
Fork 0
mirror of https://github.com/strongswan/strongswan.git synced 2025-10-04 00:00:14 -04:00
Code Issues Projects Releases Wiki Activity

ike-init: Indicate support for IKE_INTERMEDIATE

Browse Source
This commit is contained in:
Tobias Brunner 2019-11-05 16:42:58 +01:00
parent 012d99ecf4
commit 7ad610a140
2 changed files with 42 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
src/libcharon/sa/ike_sa.h
View File

@ -161,7 +161,7 @@ enum ike_extension_t {
EXT_IKE_MESSAGE_ID_SYNC = (1<<14), EXT_IKE_MESSAGE_ID_SYNC = (1<<14),
/** /**
* Postquantum Preshared Keys, draft-ietf-ipsecme-qr-ikev2 * Postquantum Preshared Keys, RFC 8784
*/ */
EXT_PPK = (1<<15), EXT_PPK = (1<<15),
@ -169,6 +169,11 @@ enum ike_extension_t {
* Responder accepts childless IKE_SAs, RFC 6023 * Responder accepts childless IKE_SAs, RFC 6023
*/ */
EXT_IKE_CHILDLESS = (1<<16), EXT_IKE_CHILDLESS = (1<<16),
/**
* IKEv2 Intermediate Exchange, RFC 9242
*/
EXT_IKE_INTERMEDIATE = (1<<17),
}; };
/** /**

36
src/libcharon/sa/ikev2/tasks/ike_init.c
View File

@ -348,6 +348,7 @@ static bool build_payloads(private_ike_init_t *this, message_t *message)
proposal_t *proposal; proposal_t *proposal;
enumerator_t *enumerator; enumerator_t *enumerator;
ike_cfg_t *ike_cfg; ike_cfg_t *ike_cfg;
bool additional_ke = FALSE;
id = this->ike_sa->get_id(this->ike_sa); id = this->ike_sa->get_id(this->ike_sa);
@ -372,6 +373,8 @@ static bool build_payloads(private_ike_init_t *this, message_t *message)
proposal_list->remove_at(proposal_list, enumerator); proposal_list->remove_at(proposal_list, enumerator);
other_ke_methods->insert_last(other_ke_methods, proposal); other_ke_methods->insert_last(other_ke_methods, proposal);
} }
additional_ke = additional_ke ||
proposal_has_additional_ke(proposal);
} }
enumerator->destroy(enumerator); enumerator->destroy(enumerator);
/* add proposals that don't contain the selected group */ /* add proposals that don't contain the selected group */
@ -394,6 +397,7 @@ static bool build_payloads(private_ike_init_t *this, message_t *message)
this->proposal->set_spi(this->proposal, id->get_responder_spi(id)); this->proposal->set_spi(this->proposal, id->get_responder_spi(id));
} }
sa_payload = sa_payload_create_from_proposal_v2(this->proposal); sa_payload = sa_payload_create_from_proposal_v2(this->proposal);
additional_ke = proposal_has_additional_ke(this->proposal);
} }
message->add_payload(message, (payload_t*)sa_payload); message->add_payload(message, (payload_t*)sa_payload);
@ -467,6 +471,16 @@ static bool build_payloads(private_ike_init_t *this, message_t *message)
message->add_notify(message, FALSE, CHILDLESS_IKEV2_SUPPORTED, message->add_notify(message, FALSE, CHILDLESS_IKEV2_SUPPORTED,
chunk_empty); chunk_empty);
} }
if (!this->old_sa && additional_ke)
{
if (this->initiator ||
this->ike_sa->supports_extension(this->ike_sa,
EXT_IKE_INTERMEDIATE))
{
message->add_notify(message, FALSE, INTERMEDIATE_EXCHANGE_SUPPORTED,
chunk_empty);
}
}
return TRUE; return TRUE;
} }
@ -726,6 +740,13 @@ static void process_payloads(private_ike_init_t *this, message_t *message)
EXT_IKE_CHILDLESS); EXT_IKE_CHILDLESS);
} }
break; break;
case INTERMEDIATE_EXCHANGE_SUPPORTED:
if (!this->old_sa)
{
this->ike_sa->enable_extension(this->ike_sa,
EXT_IKE_INTERMEDIATE);
}
break;
default: default:
/* other notifies are handled elsewhere */ /* other notifies are handled elsewhere */
break; break;
@ -1163,6 +1184,14 @@ METHOD(task_t, build_r, status_t,
if (key_exchange_done(this) == NEED_MORE) if (key_exchange_done(this) == NEED_MORE)
{ {
if (!this->old_sa &&
!this->ike_sa->supports_extension(this->ike_sa, EXT_IKE_INTERMEDIATE))
{
DBG1(DBG_IKE, "peer didn't send %N while proposing multiple key "
"exchanges", notify_type_names, INTERMEDIATE_EXCHANGE_SUPPORTED);
message->add_notify(message, TRUE, NO_PROPOSAL_CHOSEN, chunk_empty);
return FAILED;
}
/* use other exchange type for additional key exchanges */ /* use other exchange type for additional key exchanges */
this->public.task.build = _build_r_multi_ke; this->public.task.build = _build_r_multi_ke;
this->public.task.process = _process_r_multi_ke; this->public.task.process = _process_r_multi_ke;
@ -1412,6 +1441,13 @@ METHOD(task_t, process_i, status_t,
if (key_exchange_done(this) == NEED_MORE) if (key_exchange_done(this) == NEED_MORE)
{ {
if (!this->old_sa &&
!this->ike_sa->supports_extension(this->ike_sa, EXT_IKE_INTERMEDIATE))
{
DBG1(DBG_IKE, "peer didn't send %N while accepting multiple key "
"exchanges", notify_type_names, INTERMEDIATE_EXCHANGE_SUPPORTED);
return FAILED;
}
/* use other exchange type for additional key exchanges */ /* use other exchange type for additional key exchanges */
this->public.task.build = _build_i_multi_ke; this->public.task.build = _build_i_multi_ke;
this->public.task.process = _process_i_multi_ke; this->public.task.process = _process_i_multi_ke;