From cf0dca3d964ee9672f2e686a41105b81ebe93518 Mon Sep 17 00:00:00 2001 From: Rishabh Date: Sat, 7 Aug 2021 22:09:50 +0530 Subject: [PATCH] Identity Hash Support. --- include/ike_alg_hash.h | 2 ++ include/pluto_constants.h | 2 ++ lib/libipsecconf/confread.c | 2 +- lib/libswan/ike_alg_sha2.c | 13 +++++++++++++ programs/pluto/ikev2_auth.c | 8 ++++++-- 5 files changed, 24 insertions(+), 3 deletions(-) diff --git a/include/ike_alg_hash.h b/include/ike_alg_hash.h index d10c2080821..c5047a983fc 100644 --- a/include/ike_alg_hash.h +++ b/include/ike_alg_hash.h @@ -25,6 +25,8 @@ extern const struct hash_desc ike_alg_hash_sha2_384; extern const struct hash_desc ike_alg_hash_sha2_512; #endif +extern const struct hash_desc ike_alg_hash_identity; + #ifdef USE_MD5 extern const struct hash_desc ike_alg_hash_md5; #endif diff --git a/include/pluto_constants.h b/include/pluto_constants.h index 1e10b2e97fb..f9a1a7402cd 100644 --- a/include/pluto_constants.h +++ b/include/pluto_constants.h @@ -997,6 +997,7 @@ enum sighash_policy_bits { POL_SIGHASH_SHA2_256_IX, POL_SIGHASH_SHA2_384_IX, POL_SIGHASH_SHA2_512_IX, + POL_SIGHASH_IDENTITY_IX, }; extern const struct enum_names sighash_policy_bit_names; @@ -1004,6 +1005,7 @@ extern const struct enum_names sighash_policy_bit_names; #define POL_SIGHASH_SHA2_256 LELEM(POL_SIGHASH_SHA2_256_IX) #define POL_SIGHASH_SHA2_384 LELEM(POL_SIGHASH_SHA2_384_IX) #define POL_SIGHASH_SHA2_512 LELEM(POL_SIGHASH_SHA2_512_IX) +#define POL_SIGHASH_IDENTITY LELEM(POL_SIGHASH_IDENTITY_IX) /* Default policy for now is using RSA - this might change to ECC */ #define POLICY_DEFAULT POLICY_RSASIG diff --git a/lib/libipsecconf/confread.c b/lib/libipsecconf/confread.c index d7469f03778..a46e50b75e9 100644 --- a/lib/libipsecconf/confread.c +++ b/lib/libipsecconf/confread.c @@ -185,7 +185,7 @@ static void ipsecconf_default_values(struct starter_config *cfg) POLICY_ESN_NO; /* esn=no */ d->sighash_policy = - POL_SIGHASH_SHA2_256 | POL_SIGHASH_SHA2_384 | POL_SIGHASH_SHA2_512; + POL_SIGHASH_SHA2_256 | POL_SIGHASH_SHA2_384 | POL_SIGHASH_SHA2_512| POL_SIGHASH_IDENTITY; d->left.host_family = &ipv4_info; d->left.addr = ipv4_info.address.any; diff --git a/lib/libswan/ike_alg_sha2.c b/lib/libswan/ike_alg_sha2.c index 745154043bf..169dedf6126 100644 --- a/lib/libswan/ike_alg_sha2.c +++ b/lib/libswan/ike_alg_sha2.c @@ -185,6 +185,19 @@ const struct hash_desc ike_alg_hash_sha2_384 = { .hash_asn1_blob_ecdsa = THING_AS_HUNK(asn1_blob_ecdsa_sha2_384), }; +const struct hash_desc ike_alg_hash_identity = { + .common = { + .fqn = "IDENTITY_HASH", + .names = "IDENTITY_HASH", + .algo_type = IKE_ALG_HASH, + .id = { + [IKEv2_ALG_ID] = IKEv2_HASH_ALGORITHM_IDENTITY, + }, + .fips = false, + }, + +}; + const struct prf_desc ike_alg_prf_sha2_384 = { .common = { .fqn = "HMAC_SHA2_384", diff --git a/programs/pluto/ikev2_auth.c b/programs/pluto/ikev2_auth.c index daf80b26b39..932af585722 100644 --- a/programs/pluto/ikev2_auth.c +++ b/programs/pluto/ikev2_auth.c @@ -213,7 +213,11 @@ const struct hash_desc *v2_auth_negotiated_signature_hash(struct ike_sa *ike) } else if (ike->sa.st_hash_negotiated & NEGOTIATE_AUTH_HASH_SHA2_256) { hash_algo = &ike_alg_hash_sha2_256; dbg("emit hash algo NEGOTIATE_AUTH_HASH_SHA2_256"); - } else { + } else if (ike->sa.st_hash_negotiated & NEGOTIATE_AUTH_HASH_IDENTITY) { + hash_algo = &ike_alg_hash_identity; + dbg("emit hash algo NEGOTIATE_AUTH_HASH_IDENTITY"); + } + else { hash_algo = NULL; dbg("DigSig: no compatible DigSig hash algo"); } @@ -473,7 +477,7 @@ diag_t v2_authsig_and_log(enum ikev2_auth_method recv_auth, { NEGOTIATE_AUTH_HASH_SHA2_512, &ike_alg_hash_sha2_512 }, { NEGOTIATE_AUTH_HASH_SHA2_384, &ike_alg_hash_sha2_384 }, { NEGOTIATE_AUTH_HASH_SHA2_256, &ike_alg_hash_sha2_256 }, - /* { NEGOTIATE_AUTH_HASH_IDENTITY, IKEv2_HASH_ALGORITHM_IDENTITY }, */ + { NEGOTIATE_AUTH_HASH_IDENTITY, &ike_alg_hash_identity }, }; const struct hash_alts *hap;