Message rules for IKEv1 ID_PROT exchange added.
These rules are quite broad and cover main mode with at least PSK and signature based authentication.
This commit is contained in:
parent
fdb8421f36
commit
6ba70ba8dd
|
@ -414,6 +414,72 @@ static payload_order_t me_connect_r_order[] = {
|
|||
};
|
||||
#endif /* ME */
|
||||
|
||||
#ifdef USE_IKEV1
|
||||
/**
|
||||
* Message rule for ID_PROT from initiator.
|
||||
*/
|
||||
static payload_rule_t id_prot_i_rules[] = {
|
||||
/* payload type min max encr suff */
|
||||
{NOTIFICATION_V1, 0, MAX_NOTIFY_PAYLOADS, FALSE, FALSE},
|
||||
{SECURITY_ASSOCIATION_V1, 0, 1, FALSE, FALSE},
|
||||
{KEY_EXCHANGE_V1, 0, 1, FALSE, FALSE},
|
||||
{NONCE_V1, 0, 1, FALSE, FALSE},
|
||||
{VENDOR_ID_V1, 0, MAX_VID_PAYLOADS, FALSE, FALSE},
|
||||
{ID_V1, 0, 1, TRUE, FALSE},
|
||||
{CERTIFICATE_V1, 0, 1, TRUE, FALSE},
|
||||
{SIGNATURE_V1, 0, 1, TRUE, FALSE},
|
||||
{HASH_V1, 0, 1, TRUE, FALSE},
|
||||
};
|
||||
|
||||
/**
|
||||
* payload order for ID_PROT from initiator.
|
||||
*/
|
||||
static payload_order_t id_prot_i_order[] = {
|
||||
/* payload type notify type */
|
||||
{SECURITY_ASSOCIATION_V1, 0},
|
||||
{KEY_EXCHANGE_V1, 0},
|
||||
{NONCE_V1, 0},
|
||||
{ID_V1, 0},
|
||||
{CERTIFICATE_V1, 0},
|
||||
{SIGNATURE_V1, 0},
|
||||
{HASH_V1, 0},
|
||||
{NOTIFICATION_V1, 0},
|
||||
{VENDOR_ID_V1, 0},
|
||||
};
|
||||
|
||||
/**
|
||||
* Message rule for ID_PROT from responder.
|
||||
*/
|
||||
static payload_rule_t id_prot_r_rules[] = {
|
||||
/* payload type min max encr suff */
|
||||
{NOTIFICATION_V1, 0, MAX_NOTIFY_PAYLOADS, FALSE, FALSE},
|
||||
{SECURITY_ASSOCIATION_V1, 0, 1, FALSE, FALSE},
|
||||
{KEY_EXCHANGE_V1, 0, 1, FALSE, FALSE},
|
||||
{NONCE_V1, 0, 1, FALSE, FALSE},
|
||||
{VENDOR_ID_V1, 0, MAX_VID_PAYLOADS, FALSE, FALSE},
|
||||
{ID_V1, 0, 1, TRUE, FALSE},
|
||||
{CERTIFICATE_V1, 0, 1, TRUE, FALSE},
|
||||
{SIGNATURE_V1, 0, 1, TRUE, FALSE},
|
||||
{HASH_V1, 0, 1, TRUE, FALSE},
|
||||
};
|
||||
|
||||
/**
|
||||
* payload order for ID_PROT from responder.
|
||||
*/
|
||||
static payload_order_t id_prot_r_order[] = {
|
||||
/* payload type notify type */
|
||||
{SECURITY_ASSOCIATION_V1, 0},
|
||||
{KEY_EXCHANGE_V1, 0},
|
||||
{NONCE_V1, 0},
|
||||
{ID_V1, 0},
|
||||
{CERTIFICATE_V1, 0},
|
||||
{SIGNATURE_V1, 0},
|
||||
{HASH_V1, 0},
|
||||
{NOTIFICATION_V1, 0},
|
||||
{VENDOR_ID_V1, 0},
|
||||
};
|
||||
#endif /* USE_IKEV1 */
|
||||
|
||||
/**
|
||||
* Message rules, defines allowed payloads.
|
||||
*/
|
||||
|
@ -460,6 +526,17 @@ static message_rule_t message_rules[] = {
|
|||
countof(me_connect_r_order), me_connect_r_order,
|
||||
},
|
||||
#endif /* ME */
|
||||
#ifdef USE_IKEV1
|
||||
{ID_PROT, TRUE, FALSE,
|
||||
countof(id_prot_i_rules), id_prot_i_rules,
|
||||
countof(id_prot_i_order), id_prot_i_order,
|
||||
},
|
||||
{ID_PROT, FALSE, FALSE,
|
||||
countof(id_prot_r_rules), id_prot_r_rules,
|
||||
countof(id_prot_r_order), id_prot_r_order,
|
||||
},
|
||||
/* TODO-IKEv1: define rules for other exchanges */
|
||||
#endif /* USE_IKEV1 */
|
||||
};
|
||||
|
||||
|
||||
|
|
Loading…
Reference in New Issue