Store peer IKE init message

The IKE init message sent to us by the peer is needed for authentication
in the authorization hook. Store the message as chunk in the keymat and
provide a getter to make it available.

diff --git a/src/charon-tkm/src/tkm/tkm_keymat.c b/src/charon-tkm/src/tkm/tkm_keymat.c
index 9beb10430a51f71d240bae64253d398ac1c6a3b1..2fc5d60ebb5d84294e5e53b1e617f667e9b87fb9 100644 (file)
--- a/src/charon-tkm/src/tkm/tkm_keymat.c
+++ b/src/charon-tkm/src/tkm/tkm_keymat.c
@@ -66,6 +66,11 @@ struct private_tkm_keymat_t {
         */
        chunk_t auth_payload;
 
+       /**
+        * Peer init message chunk.
+        */
+       chunk_t other_init_msg;
+
 };
 
 /**
@@ -357,6 +362,11 @@ METHOD(keymat_v2_t, get_auth_octets, bool,
        private_tkm_keymat_t *this, bool verify, chunk_t ike_sa_init,
        chunk_t nonce, identification_t *id, char reserved[3], chunk_t *octets)
 {
+       if (verify)
+       {
+               /* store peer init message for authentication step */
+               this->other_init_msg = chunk_clone(ike_sa_init);
+       }
        DBG1(DBG_IKE, "returning auth octets");
        *octets = chunk_empty;
        return TRUE;
@@ -432,6 +442,7 @@ METHOD(keymat_t, destroy, void,
        DESTROY_IF(this->aead_in);
        DESTROY_IF(this->aead_out);
        chunk_free(&this->auth_payload);
+       chunk_free(&this->other_init_msg);
        free(this);
 }
 
@@ -453,6 +464,12 @@ METHOD(tkm_keymat_t, get_auth_payload, chunk_t*,
        return &this->auth_payload;
 }
 
+METHOD(tkm_keymat_t, get_peer_init_msg, chunk_t*,
+       private_tkm_keymat_t *this)
+{
+       return &this->other_init_msg;
+}
+
 /**
  * See header.
  */
@@ -479,11 +496,13 @@ tkm_keymat_t *tkm_keymat_create(bool initiator)
                        .get_isa_id = _get_isa_id,
                        .set_auth_payload = _set_auth_payload,
                        .get_auth_payload = _get_auth_payload,
+                       .get_peer_init_msg = _get_peer_init_msg,
                },
                .initiator = initiator,
                .isa_ctx_id = tkm->idmgr->acquire_id(tkm->idmgr, TKM_CTX_ISA),
                .ae_ctx_id = 0,
                .auth_payload = chunk_empty,
+               .other_init_msg = chunk_empty,
        );
 
        if (!this->isa_ctx_id)

diff --git a/src/charon-tkm/src/tkm/tkm_keymat.h b/src/charon-tkm/src/tkm/tkm_keymat.h
index 16f2f2a49cb961a262ad387f1abe5a37286226f7..207f9728e47f1c2019eb20d01ff61aa7df9e3c6d 100644 (file)
--- a/src/charon-tkm/src/tkm/tkm_keymat.h
+++ b/src/charon-tkm/src/tkm/tkm_keymat.h
@@ -52,6 +52,13 @@ struct tkm_keymat_t {
         */
        chunk_t* (*get_auth_payload)(tkm_keymat_t * const this);
 
+       /**
+        * Get IKE init message of peer.
+        *
+        * @return                              init message if set, chunk_empty otherwise
+        */
+       chunk_t* (*get_peer_init_msg)(tkm_keymat_t * const this);
+
 };
 
 /**