From: Tobias Brunner <tobias@strongswan.org>
Date: Tue, 5 Nov 2019 15:42:58 +0000 (+0100)
Subject: wip: ike-init: Indicate support for IKE_INTERMEDIATE
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=ff424de04eeb986edeac0d9064442e77e8cf19f7;p=thirdparty%2Fstrongswan.git

wip: ike-init: Indicate support for IKE_INTERMEDIATE

wip: We should also add some checks if the notify was not received.
---

diff --git a/src/libcharon/sa/ike_sa.h b/src/libcharon/sa/ike_sa.h
index 7d1e331521..3b6306007b 100644
--- a/src/libcharon/sa/ike_sa.h
+++ b/src/libcharon/sa/ike_sa.h
@@ -161,7 +161,7 @@ enum ike_extension_t {
 	EXT_IKE_MESSAGE_ID_SYNC = (1<<14),
 
 	/**
-	 * Postquantum Preshared Keys, draft-ietf-ipsecme-qr-ikev2
+	 * Postquantum Preshared Keys, RFC 8784
 	 */
 	EXT_PPK = (1<<15),
 
@@ -169,6 +169,11 @@ enum ike_extension_t {
 	 * Responder accepts childless IKE_SAs, RFC 6023
 	 */
 	EXT_IKE_CHILDLESS = (1<<16),
+
+	/**
+	 * IKEv2 Intermediate Exchange, RFC 9242
+	 */
+	EXT_IKE_INTERMEDIATE = (1<<17),
 };
 
 /**
diff --git a/src/libcharon/sa/ikev2/tasks/ike_init.c b/src/libcharon/sa/ikev2/tasks/ike_init.c
index 4710dc7739..d795b6cde9 100644
--- a/src/libcharon/sa/ikev2/tasks/ike_init.c
+++ b/src/libcharon/sa/ikev2/tasks/ike_init.c
@@ -348,6 +348,7 @@ static bool build_payloads(private_ike_init_t *this, message_t *message)
 	proposal_t *proposal;
 	enumerator_t *enumerator;
 	ike_cfg_t *ike_cfg;
+	bool additional_ke = FALSE;
 
 	id = this->ike_sa->get_id(this->ike_sa);
 
@@ -372,6 +373,8 @@ static bool build_payloads(private_ike_init_t *this, message_t *message)
 				proposal_list->remove_at(proposal_list, enumerator);
 				other_dh_groups->insert_last(other_dh_groups, proposal);
 			}
+			additional_ke = additional_ke ||
+							proposal_has_additional_ke(proposal);
 		}
 		enumerator->destroy(enumerator);
 		/* add proposals that don't contain the selected group */
@@ -394,6 +397,7 @@ static bool build_payloads(private_ike_init_t *this, message_t *message)
 			this->proposal->set_spi(this->proposal, id->get_responder_spi(id));
 		}
 		sa_payload = sa_payload_create_from_proposal_v2(this->proposal);
+		additional_ke = proposal_has_additional_ke(this->proposal);
 	}
 	message->add_payload(message, (payload_t*)sa_payload);
 
@@ -467,6 +471,16 @@ static bool build_payloads(private_ike_init_t *this, message_t *message)
 		message->add_notify(message, FALSE, CHILDLESS_IKEV2_SUPPORTED,
 							chunk_empty);
 	}
+	if (!this->old_sa && additional_ke)
+	{
+		if (this->initiator ||
+			this->ike_sa->supports_extension(this->ike_sa,
+											 EXT_IKE_INTERMEDIATE))
+		{
+			message->add_notify(message, FALSE, INTERMEDIATE_EXCHANGE_SUPPORTED,
+								chunk_empty);
+		}
+	}
 	return TRUE;
 }
 
@@ -726,6 +740,13 @@ static void process_payloads(private_ike_init_t *this, message_t *message)
 														   EXT_IKE_CHILDLESS);
 						}
 						break;
+					case INTERMEDIATE_EXCHANGE_SUPPORTED:
+						if (!this->old_sa)
+						{
+							this->ike_sa->enable_extension(this->ike_sa,
+														   EXT_IKE_INTERMEDIATE);
+						}
+						break;
 					default:
 						/* other notifies are handled elsewhere */
 						break;