ha_sync_message_attribute_t attribute;
ha_sync_message_value_t value;
enumerator_t *enumerator;
- ike_sa_t *ike_sa = NULL;
- u_int16_t encr = 0, len = 0, integ = 0, prf = 0;
- chunk_t nonce_i = chunk_empty, nonce_r = chunk_empty, secret = chunk_empty;
+ ike_sa_t *ike_sa = NULL, *old_sa = NULL;
+ u_int16_t encr = 0, len = 0, integ = 0, prf = 0, old_prf = PRF_UNDEFINED;
+ chunk_t nonce_i = chunk_empty, nonce_r = chunk_empty;
+ chunk_t secret = chunk_empty, old_skd = chunk_empty;
enumerator = message->create_attribute_enumerator(message);
while (enumerator->enumerate(enumerator, &attribute, &value))
ike_sa);
break;
case HA_SYNC_IKE_REKEY_ID:
- DBG1(DBG_IKE, "TODO: rekey HA sync");
+ old_sa = this->cache->get_ike_sa(this->cache, value.ike_sa_id);
break;
case HA_SYNC_NONCE_I:
nonce_i = value.chunk;
case HA_SYNC_SECRET:
secret = value.chunk;
break;
+ case HA_SYNC_OLD_SKD:
+ old_skd = value.chunk;
+ break;
case HA_SYNC_ALG_ENCR:
encr = value.u16;
break;
case HA_SYNC_ALG_PRF:
prf = value.u16;
break;
+ case HA_SYNC_ALG_OLD_PRF:
+ old_prf = value.u16;
+ break;
default:
break;
}
}
enumerator->destroy(enumerator);
-
if (ike_sa)
{
proposal_t *proposal;
}
charon->bus->set_sa(charon->bus, ike_sa);
if (!keymat->derive_ike_keys(keymat, proposal, &dh, nonce_i, nonce_r,
- ike_sa->get_id(ike_sa), NULL))
+ ike_sa->get_id(ike_sa), old_prf, old_skd))
{
DBG1(DBG_IKE, "HA sync keymat derivation failed");
}
charon->bus->set_sa(charon->bus, NULL);
proposal->destroy(proposal);
+
+ if (old_sa)
+ {
+ ike_sa->inherit(ike_sa, old_sa);
+ this->cache->delete_ike_sa(this->cache, old_sa->get_id(old_sa));
+ }
}
}
case HA_SYNC_IKE_DELETE:
process_ike_delete(this, message);
break;
- case HA_SYNC_IKE_REKEY:
- break;
case HA_SYNC_CHILD_ADD:
process_child_add(this, message);
break;
return TRUE;
}
- if (rekey == NULL)
- {
- m = ha_sync_message_create(HA_SYNC_IKE_ADD);
+ m = ha_sync_message_create(HA_SYNC_IKE_ADD);
+ m->add_attribute(m, HA_SYNC_IKE_ID, ike_sa->get_id(ike_sa));
- m->add_attribute(m, HA_SYNC_IKE_ID, ike_sa->get_id(ike_sa));
- }
- else
+ if (rekey)
{
- m = ha_sync_message_create(HA_SYNC_IKE_REKEY);
+ chunk_t skd;
+ keymat_t *keymat;
- m->add_attribute(m, HA_SYNC_IKE_ID, ike_sa->get_id(ike_sa));
+ keymat = rekey->get_keymat(rekey);
m->add_attribute(m, HA_SYNC_IKE_REKEY_ID, rekey->get_id(rekey));
+ m->add_attribute(m, HA_SYNC_ALG_OLD_PRF, keymat->get_skd(keymat, &skd));
+ m->add_attribute(m, HA_SYNC_OLD_SKD, skd);
}
proposal = ike_sa->get_proposal(ike_sa);
HA_SYNC_IKE_UPDATE,
/** delete an existing IKE_SA */
HA_SYNC_IKE_DELETE,
- /** rekeying an existing IKE_SA, transferring CHILD_SAs to a new one */
- HA_SYNC_IKE_REKEY,
/** add a new CHILD_SA */
HA_SYNC_CHILD_ADD,
/** delete an existing CHILD_SA */
HA_SYNC_NONCE_R,
/** chunk_t, diffie hellman shared secret */
HA_SYNC_SECRET,
+ /** chunk_t, SKd of old SA if rekeying */
+ HA_SYNC_OLD_SKD,
/** u_int16_t, pseudo random function */
HA_SYNC_ALG_PRF,
+ /** u_int16_t, old pseudo random function if rekeying */
+ HA_SYNC_ALG_OLD_PRF,
/** u_int16_t, encryption algorithm */
HA_SYNC_ALG_ENCR,
/** u_int16_t, encryption key size in bytes */