Identity Hash Support.

libreswan · Aug 7, 2021 · cf0dca3 · cf0dca3
1 parent ac637de
commit cf0dca3
Show file tree

Hide file tree

Showing 5 changed files with 24 additions and 3 deletions.
diff --git a/include/ike_alg_hash.h b/include/ike_alg_hash.h
@@ -25,6 +25,8 @@ extern const struct hash_desc ike_alg_hash_sha2_384;
 extern const struct hash_desc ike_alg_hash_sha2_512;
 #endif
 
+extern const struct hash_desc ike_alg_hash_identity;
+
 #ifdef USE_MD5
 extern const struct hash_desc ike_alg_hash_md5;
 #endif
diff --git a/include/pluto_constants.h b/include/pluto_constants.h
@@ -997,13 +997,15 @@ enum sighash_policy_bits {
 	POL_SIGHASH_SHA2_256_IX,
 	POL_SIGHASH_SHA2_384_IX,
 	POL_SIGHASH_SHA2_512_IX,
+	POL_SIGHASH_IDENTITY_IX,
 };
 
 extern const struct enum_names sighash_policy_bit_names;
 
 #define POL_SIGHASH_SHA2_256 LELEM(POL_SIGHASH_SHA2_256_IX)
 #define POL_SIGHASH_SHA2_384 LELEM(POL_SIGHASH_SHA2_384_IX)
 #define POL_SIGHASH_SHA2_512 LELEM(POL_SIGHASH_SHA2_512_IX)
+#define POL_SIGHASH_IDENTITY LELEM(POL_SIGHASH_IDENTITY_IX)
 
 /* Default policy for now is using RSA - this might change to ECC */
 #define POLICY_DEFAULT POLICY_RSASIG

diff --git a/lib/libipsecconf/confread.c b/lib/libipsecconf/confread.c
@@ -185,7 +185,7 @@ static void ipsecconf_default_values(struct starter_config *cfg)
 		POLICY_ESN_NO;      	     /* esn=no */
 
 	d->sighash_policy =
-		POL_SIGHASH_SHA2_256 | POL_SIGHASH_SHA2_384 | POL_SIGHASH_SHA2_512;
+		POL_SIGHASH_SHA2_256 | POL_SIGHASH_SHA2_384 | POL_SIGHASH_SHA2_512| POL_SIGHASH_IDENTITY;
 
 	d->left.host_family = &ipv4_info;
 	d->left.addr = ipv4_info.address.any;

diff --git a/lib/libswan/ike_alg_sha2.c b/lib/libswan/ike_alg_sha2.c
@@ -185,6 +185,19 @@ const struct hash_desc ike_alg_hash_sha2_384 = {
 	.hash_asn1_blob_ecdsa = THING_AS_HUNK(asn1_blob_ecdsa_sha2_384),
 };
 
+const struct hash_desc ike_alg_hash_identity = {
+	.common = {
+		.fqn = "IDENTITY_HASH",
+		.names = "IDENTITY_HASH",
+		.algo_type = IKE_ALG_HASH,
+		.id = {
+			[IKEv2_ALG_ID] =  IKEv2_HASH_ALGORITHM_IDENTITY,
+		},
+		.fips = false,
+	},
+
+};
+
 const struct prf_desc ike_alg_prf_sha2_384 = {
 	.common = {
 		.fqn = "HMAC_SHA2_384",

diff --git a/programs/pluto/ikev2_auth.c b/programs/pluto/ikev2_auth.c
@@ -213,7 +213,11 @@ const struct hash_desc *v2_auth_negotiated_signature_hash(struct ike_sa *ike)
 	} else if (ike->sa.st_hash_negotiated & NEGOTIATE_AUTH_HASH_SHA2_256) {
 		hash_algo = &ike_alg_hash_sha2_256;
 		dbg("emit hash algo NEGOTIATE_AUTH_HASH_SHA2_256");
-	} else {
+	} else if (ike->sa.st_hash_negotiated & NEGOTIATE_AUTH_HASH_IDENTITY) {
+    		hash_algo = &ike_alg_hash_identity;
+    		dbg("emit hash algo NEGOTIATE_AUTH_HASH_IDENTITY");
+	}
+	 else {
 		hash_algo = NULL;
 		dbg("DigSig: no compatible DigSig hash algo");
 	}
@@ -473,7 +477,7 @@ diag_t v2_authsig_and_log(enum ikev2_auth_method recv_auth,
 			{ NEGOTIATE_AUTH_HASH_SHA2_512, &ike_alg_hash_sha2_512 },
 			{ NEGOTIATE_AUTH_HASH_SHA2_384, &ike_alg_hash_sha2_384 },
 			{ NEGOTIATE_AUTH_HASH_SHA2_256, &ike_alg_hash_sha2_256 },
-			/* { NEGOTIATE_AUTH_HASH_IDENTITY, IKEv2_HASH_ALGORITHM_IDENTITY }, */
+			{ NEGOTIATE_AUTH_HASH_IDENTITY, &ike_alg_hash_identity },
 		};
 
 		const struct hash_alts *hap;