From 0fa987cfe10cef2d8d398f57edf2c7e67ae3ab08 Mon Sep 17 00:00:00 2001 From: allen0091 <44120584+allen0091@users.noreply.github.com> Date: Thu, 12 Dec 2024 18:26:11 +0800 Subject: [PATCH] Split ConcatenatedNonce to Ni & Nr (#13) --- pkg/context/context.go | 7 ++++++- pkg/ike/handler/handler.go | 24 ++++++++++++++++-------- 2 files changed, 22 insertions(+), 9 deletions(-) diff --git a/pkg/context/context.go b/pkg/context/context.go index b7ed7cf..9885e9d 100644 --- a/pkg/context/context.go +++ b/pkg/context/context.go @@ -134,7 +134,8 @@ type IKESecurityAssociation struct { InitiatorSignedOctets []byte // Used for key generating - ConcatenatedNonce []byte + NonceInitiator []byte + NonceResponder []byte // State for IKE_AUTH State uint8 @@ -180,6 +181,10 @@ type ChildSecurityAssociation struct { EnableEncapsulate bool N3IWFPort int NATPort int + + // Used for key generating + NonceInitiator []byte + NonceResponder []byte } type UDPSocketInfo struct { diff --git a/pkg/ike/handler/handler.go b/pkg/ike/handler/handler.go index 61b9ab5..fb9aeea 100644 --- a/pkg/ike/handler/handler.go +++ b/pkg/ike/handler/handler.go @@ -111,14 +111,16 @@ func HandleIKESAINIT( PrfInfo: prf.DecodeTransform(n3ueSelf.Proposal.PseudorandomFunction[0]), DhInfo: dh.DecodeTransform(n3ueSelf.Proposal.DiffieHellmanGroup[0]), }, - ConcatenatedNonce: append(n3ueSelf.LocalNonce, remoteNonce...), + NonceInitiator: n3ueSelf.LocalNonce, + NonceResponder: remoteNonce, ResponderSignedOctets: append(n3ueSelf.N3IWFUe.N3IWFIKESecurityAssociation. ResponderSignedOctets, remoteNonce...), UEIsBehindNAT: ueIsBehindNAT, N3IWFIsBehindNAT: n3iwfIsBehindNAT, } + ConcatenatedNonce := append(ikeSecurityAssociation.NonceInitiator, ikeSecurityAssociation.NonceResponder...) - err = ikeSecurityAssociation.IKESAKey.GenerateKeyForIKESA(ikeSecurityAssociation.ConcatenatedNonce, + err = ikeSecurityAssociation.IKESAKey.GenerateKeyForIKESA(ConcatenatedNonce, sharedKeyExchangeData, ikeSecurityAssociation.LocalSPI, ikeSecurityAssociation.RemoteSPI) if err != nil { ikeLog.Errorf("Generate key for IKE SA failed: %+v", err) @@ -545,9 +547,13 @@ func HandleIKEAUTH( } // Select TCP traffic childSecurityAssociationContext.SelectedIPProtocol = unix.IPPROTO_TCP + childSecurityAssociationContext.NonceInitiator = ikeSecurityAssociation.NonceInitiator + childSecurityAssociationContext.NonceResponder = ikeSecurityAssociation.NonceResponder + concatenatedNonce := append(childSecurityAssociationContext.NonceInitiator, + childSecurityAssociationContext.NonceResponder...) err = childSecurityAssociationContext.GenerateKeyForChildSA(ikeSecurityAssociation.IKESAKey, - ikeSecurityAssociation.ConcatenatedNonce) + concatenatedNonce) if err != nil { ikeLog.Errorf("HandleIKEAUTH Generate key for child SA failed: %+v", err) return @@ -647,6 +653,7 @@ func HandleCREATECHILDSA( var responseTrafficSelectorInitiator *ike_message.TrafficSelectorInitiator var responseTrafficSelectorResponder *ike_message.TrafficSelectorResponder var err error + var nonce []byte for _, ikePayload := range message.Payloads { switch ikePayload.Type() { @@ -679,7 +686,7 @@ func HandleCREATECHILDSA( } case ike_message.TypeNiNr: responseNonce := ikePayload.(*ike_message.Nonce) - ikeSecurityAssociation.ConcatenatedNonce = responseNonce.NonceData + nonce = responseNonce.NonceData } } @@ -705,9 +712,6 @@ func HandleCREATECHILDSA( return } localNonce := localNonceBigInt.Bytes() - ikeSecurityAssociation.ConcatenatedNonce = append( - ikeSecurityAssociation.ConcatenatedNonce, - localNonce...) ikePayload.BuildNonce(localNonce) ikeMessage := ike_message.NewMessage( @@ -753,9 +757,13 @@ func HandleCREATECHILDSA( } // Select GRE traffic childSecurityAssociationContextUserPlane.SelectedIPProtocol = unix.IPPROTO_GRE + childSecurityAssociationContextUserPlane.NonceInitiator = nonce + childSecurityAssociationContextUserPlane.NonceResponder = localNonce + concatenatedNonce := append(childSecurityAssociationContextUserPlane.NonceInitiator, + childSecurityAssociationContextUserPlane.NonceResponder...) err = childSecurityAssociationContextUserPlane.GenerateKeyForChildSA(ikeSecurityAssociation.IKESAKey, - ikeSecurityAssociation.ConcatenatedNonce) + concatenatedNonce) if err != nil { ikeLog.Errorf("HandleCREATECHILDSA() Generate key for child SA failed: %+v", err) return