ims-volte-vowifi
/
strongswan
1
0
Fork 0
Code Pull Requests Releases Activity

further work for rekeying:

Browse Source 
get liftimes from policy
  added new state
  initiation of rekeying done
proposal redone:
  removed support for AH+ESP proposals
laforge/swu
Martin Willi 17 years ago
parent a401efd091
commit 8d77eddec2
36 changed files with 1392 additions and 1398 deletions
Show Stats Download Patch File Download Diff File

1
src/charon/Makefile.am
Unescape View File

@ -13,6 +13,7 @@ sa/states/ike_sa_init_responded.c sa/states/ike_sa_established.c sa/states/ike_s
sa/states/responder_init.c sa/states/responder_init.h sa/states/initiator_init.c sa/states/initiator_init.h \
sa/states/ike_sa_init_responded.h sa/states/ike_auth_requested.c sa/states/ike_auth_requested.h \
sa/states/delete_requested.h sa/states/delete_requested.c \
sa/states/create_child_sa_requested.c sa/states/create_child_sa_requested.h \
sa/child_sa.c sa/child_sa.h sa/ike_sa.c sa/ike_sa.h sa/ike_sa_manager.c sa/ike_sa_manager.h \
sa/ike_sa_id.c sa/ike_sa_id.h sa/authenticator.c sa/authenticator.h encoding/payloads/encryption_payload.c \
encoding/payloads/cert_payload.c encoding/payloads/payload.h encoding/payloads/traffic_selector_substructure.c \

9
src/charon/config/connections/connection.c
Unescape View File

@ -155,7 +155,7 @@ static proposal_t *select_proposal(private_connection_t *this, linked_list_t *pr
{
supplied_iter->reset(supplied_iter);
stored_iter->current(stored_iter, (void**)&stored);
while (supplied_iter->has_next(supplied_iter))
{
supplied_iter->current(supplied_iter, (void**)&supplied);
@ -169,7 +169,6 @@ static proposal_t *select_proposal(private_connection_t *this, linked_list_t *pr
}
}
}
/* no proposal match :-(, will result in a NO_PROPOSAL_CHOSEN... */
stored_iter->destroy(stored_iter);
supplied_iter->destroy(supplied_iter);
@ -206,7 +205,7 @@ static diffie_hellman_group_t get_dh_group(private_connection_t *this)
while (iterator->has_next(iterator))
{
iterator->current(iterator, (void**)&proposal);
proposal->get_algorithm(proposal, PROTO_IKE, DIFFIE_HELLMAN_GROUP, &algo);
proposal->get_algorithm(proposal, DIFFIE_HELLMAN_GROUP, &algo);
if (algo)
{
iterator->destroy(iterator);
@ -230,7 +229,7 @@ static bool check_dh_group(private_connection_t *this, diffie_hellman_group_t dh
while (prop_iter->has_next(prop_iter))
{
prop_iter->current(prop_iter, (void**)&proposal);
alg_iter = proposal->create_algorithm_iterator(proposal, PROTO_IKE, DIFFIE_HELLMAN_GROUP);
alg_iter = proposal->create_algorithm_iterator(proposal, DIFFIE_HELLMAN_GROUP);
while (alg_iter->has_next(alg_iter))
{
alg_iter->current(alg_iter, (void**)&algo);
@ -322,7 +321,7 @@ connection_t * connection_create(char *name, bool ikev2, host_t *my_host, host_t
this->my_host = my_host;
this->other_host = other_host;
this->auth_method = auth_method;
this->proposals = linked_list_create();
return (&this->public);

18
src/charon/config/policies/policy.c
Unescape View File

@ -288,6 +288,22 @@ static void add_proposal(private_policy_t *this, proposal_t *proposal)
this->proposals->insert_last(this->proposals, (void*)proposal);
}
/**
* Implementation of policy_t.get_soft_lifetime
*/
static u_int32_t get_soft_lifetime(policy_t *this)
{
return 0; /*5 + random() % 5; */
}
/**
* Implementation of policy_t.get_hard_lifetime
*/
static u_int32_t get_hard_lifetime(policy_t *this)
{
return 0; /*20; */
}
/**
* Implements policy_t.clone.
*/
@ -396,6 +412,8 @@ policy_t *policy_create(char *name, identification_t *my_id, identification_t *o
this->public.add_my_traffic_selector = (void(*)(policy_t*,traffic_selector_t*))add_my_traffic_selector;
this->public.add_other_traffic_selector = (void(*)(policy_t*,traffic_selector_t*))add_other_traffic_selector;
this->public.add_proposal = (void(*)(policy_t*,proposal_t*))add_proposal;
this->public.get_soft_lifetime = (u_int32_t (*) (policy_t *))get_soft_lifetime;
this->public.get_hard_lifetime = (u_int32_t (*) (policy_t *))get_hard_lifetime;
this->public.clone = (policy_t*(*)(policy_t*))clone;
this->public.destroy = (void(*)(policy_t*))destroy;

19
src/charon/config/policies/policy.h
Unescape View File

@ -229,6 +229,25 @@ struct policy_t {
*/
void (*add_proposal) (policy_t *this, proposal_t *proposal);
/**
* @brief Get the lifetime of a policy, before rekeying starts.
*
* A call to this function automatically adds a jitter to
* avoid simultanous rekeying.
*
* @param this policy
* @return lifetime in seconds
*/
u_int32_t (*get_soft_lifetime) (policy_t *this);
/**
* @brief Get the lifetime of a policy, before SA gets deleted.
*
* @param this policy
* @return lifetime in seconds
*/
u_int32_t (*get_hard_lifetime) (policy_t *this);
/**
* @brief Clone a policy.
*

428
src/charon/config/proposal.c
Unescape View File

@ -62,13 +62,18 @@ mapping_t extended_sequence_numbers_m[] = {
{MAPPING_END, NULL}
};
typedef struct protocol_proposal_t protocol_proposal_t;
typedef struct private_proposal_t private_proposal_t;
/**
* substructure which holds all data algos for a specific protocol
* Private data of an proposal_t object
*/
struct protocol_proposal_t {
struct private_proposal_t {
/**
* Public part
*/
proposal_t public;
/**
* protocol (ESP or AH)
*/
@ -96,85 +101,15 @@ struct protocol_proposal_t {
/**
* priority ordered list of extended sequence number flags
*/
*/
linked_list_t *esns;
/**
* senders SPI
*/
chunk_t spi;
};
typedef struct private_proposal_t private_proposal_t;
/**
* Private data of an proposal_t object
*/
struct private_proposal_t {
/**
* Public part
*/
proposal_t public;
/**
* number of this proposal, as used in the payload
*/
u_int8_t number;
/**
* list of protocol_proposal_t's
*/
linked_list_t *protocol_proposals;
u_int64_t spi;
};
/**
* Look up a protocol_proposal, or create one if necessary...
*/
static protocol_proposal_t *get_protocol_proposal(private_proposal_t *this, protocol_id_t proto, bool create)
{
protocol_proposal_t *proto_proposal = NULL, *current_proto_proposal;;
iterator_t *iterator;
/* find our protocol in the proposals */
iterator = this->protocol_proposals->create_iterator(this->protocol_proposals, TRUE);
while (iterator->has_next(iterator))
{
iterator->current(iterator, (void**)&current_proto_proposal);
if (current_proto_proposal->protocol == proto)
{
proto_proposal = current_proto_proposal;
break;
}
}
iterator->destroy(iterator);
if (!proto_proposal && create)
{
/* nope, create a new one */
proto_proposal = malloc_thing(protocol_proposal_t);
proto_proposal->protocol = proto;
proto_proposal->encryption_algos = linked_list_create();
proto_proposal->integrity_algos = linked_list_create();
proto_proposal->prf_algos = linked_list_create();
proto_proposal->dh_groups = linked_list_create();
proto_proposal->esns = linked_list_create();
if (proto == PROTO_IKE)
{
proto_proposal->spi.len = 8;
}
else
{
proto_proposal->spi.len = 4;
}
proto_proposal->spi.ptr = malloc(proto_proposal->spi.len);
/* add to the list */
this->protocol_proposals->insert_last(this->protocol_proposals, (void*)proto_proposal);
}
return proto_proposal;
}
/**
* Add algorithm/keysize to a algorithm list
*/
@ -190,26 +125,24 @@ static void add_algo(linked_list_t *list, u_int8_t algo, size_t key_size)
/**
* Implements proposal_t.add_algorithm
*/
static void add_algorithm(private_proposal_t *this, protocol_id_t proto, transform_type_t type, u_int16_t algo, size_t key_size)
static void add_algorithm(private_proposal_t *this, transform_type_t type, u_int16_t algo, size_t key_size)
{
protocol_proposal_t *proto_proposal = get_protocol_proposal(this, proto, TRUE);
switch (type)
{
case ENCRYPTION_ALGORITHM:
add_algo(proto_proposal->encryption_algos, algo, key_size);
add_algo(this->encryption_algos, algo, key_size);
break;
case INTEGRITY_ALGORITHM:
add_algo(proto_proposal->integrity_algos, algo, key_size);
add_algo(this->integrity_algos, algo, key_size);
break;
case PSEUDO_RANDOM_FUNCTION:
add_algo(proto_proposal->prf_algos, algo, key_size);
add_algo(this->prf_algos, algo, key_size);
break;
case DIFFIE_HELLMAN_GROUP:
add_algo(proto_proposal->dh_groups, algo, 0);
add_algo(this->dh_groups, algo, 0);
break;
case EXTENDED_SEQUENCE_NUMBERS:
add_algo(proto_proposal->esns, algo, 0);
add_algo(this->esns, algo, 0);
break;
default:
break;
@ -219,31 +152,25 @@ static void add_algorithm(private_proposal_t *this, protocol_id_t proto, transfo
/**
* Implements proposal_t.get_algorithm.
*/
static bool get_algorithm(private_proposal_t *this, protocol_id_t proto, transform_type_t type, algorithm_t** algo)
static bool get_algorithm(private_proposal_t *this, transform_type_t type, algorithm_t** algo)
{
linked_list_t * list;
protocol_proposal_t *proto_proposal = get_protocol_proposal(this, proto, FALSE);
if (proto_proposal == NULL)
{
return FALSE;
}
linked_list_t *list;
switch (type)
{
case ENCRYPTION_ALGORITHM:
list = proto_proposal->encryption_algos;
list = this->encryption_algos;
break;
case INTEGRITY_ALGORITHM:
list = proto_proposal->integrity_algos;
list = this->integrity_algos;
break;
case PSEUDO_RANDOM_FUNCTION:
list = proto_proposal->prf_algos;
list = this->prf_algos;
break;
case DIFFIE_HELLMAN_GROUP:
list = proto_proposal->dh_groups;
list = this->dh_groups;
break;
case EXTENDED_SEQUENCE_NUMBERS:
list = proto_proposal->esns;
list = this->esns;
break;
default:
return FALSE;
@ -258,26 +185,20 @@ static bool get_algorithm(private_proposal_t *this, protocol_id_t proto, transfo
/**
* Implements proposal_t.create_algorithm_iterator.
*/
static iterator_t *create_algorithm_iterator(private_proposal_t *this, protocol_id_t proto, transform_type_t type)
static iterator_t *create_algorithm_iterator(private_proposal_t *this, transform_type_t type)
{
protocol_proposal_t *proto_proposal = get_protocol_proposal(this, proto, FALSE);
if (proto_proposal == NULL)
{
return NULL;
}
switch (type)
{
case ENCRYPTION_ALGORITHM:
return proto_proposal->encryption_algos->create_iterator(proto_proposal->encryption_algos, TRUE);
return this->encryption_algos->create_iterator(this->encryption_algos, TRUE);
case INTEGRITY_ALGORITHM:
return proto_proposal->integrity_algos->create_iterator(proto_proposal->integrity_algos, TRUE);
return this->integrity_algos->create_iterator(this->integrity_algos, TRUE);
case PSEUDO_RANDOM_FUNCTION:
return proto_proposal->prf_algos->create_iterator(proto_proposal->prf_algos, TRUE);
return this->prf_algos->create_iterator(this->prf_algos, TRUE);
case DIFFIE_HELLMAN_GROUP:
return proto_proposal->dh_groups->create_iterator(proto_proposal->dh_groups, TRUE);
return this->dh_groups->create_iterator(this->dh_groups, TRUE);
case EXTENDED_SEQUENCE_NUMBERS:
return proto_proposal->esns->create_iterator(proto_proposal->esns, TRUE);
return this->esns->create_iterator(this->esns, TRUE);
default:
break;
}
@ -336,201 +257,112 @@ static proposal_t *select_proposal(private_proposal_t *this, private_proposal_t
proposal_t *selected;
u_int16_t algo;
size_t key_size;
iterator_t *iterator;
protocol_proposal_t *this_prop, *other_prop;
protocol_id_t proto;
bool add;
u_int64_t spi;
/* empty proposal? no match */
if (this->protocol_proposals->get_count(this->protocol_proposals) == 0 ||
other->protocol_proposals->get_count(other->protocol_proposals) == 0)
{
return NULL;
}
/* they MUST have the same amount of protocols */
if (this->protocol_proposals->get_count(this->protocol_proposals) !=
other->protocol_proposals->get_count(other->protocol_proposals))
/* check protocol */
if (this->protocol != other->protocol)
{
return NULL;
}
selected = proposal_create(this->number);
selected = proposal_create(this->protocol);
/* iterate over supplied proposals */
iterator = other->protocol_proposals->create_iterator(other->protocol_proposals, TRUE);
while (iterator->has_next(iterator))
/* select encryption algorithm */
if (select_algo(this->encryption_algos, other->encryption_algos, &add, &algo, &key_size))
{
iterator->current(iterator, (void**)&other_prop);
/* get the proposal with the same protocol */
proto = other_prop->protocol;
this_prop = get_protocol_proposal(this, proto, FALSE);
if (this_prop == NULL)
{
iterator->destroy(iterator);
selected->destroy(selected);
return NULL;
}
/* select encryption algorithm */
if (select_algo(this_prop->encryption_algos, other_prop->encryption_algos, &add, &algo, &key_size))
{
if (add)
{
selected->add_algorithm(selected, proto, ENCRYPTION_ALGORITHM, algo, key_size);
}
}
else
{
iterator->destroy(iterator);
selected->destroy(selected);
return NULL;
}
/* select integrity algorithm */
if (select_algo(this_prop->integrity_algos, other_prop->integrity_algos, &add, &algo, &key_size))
{
if (add)
{
selected->add_algorithm(selected, proto, INTEGRITY_ALGORITHM, algo, key_size);
}
}
else
{
iterator->destroy(iterator);
selected->destroy(selected);
return NULL;
}
/* select prf algorithm */
if (select_algo(this_prop->prf_algos, other_prop->prf_algos, &add, &algo, &key_size))
if (add)
{
if (add)
{
selected->add_algorithm(selected, proto, PSEUDO_RANDOM_FUNCTION, algo, key_size);
}
selected->add_algorithm(selected, ENCRYPTION_ALGORITHM, algo, key_size);
}
else
{
iterator->destroy(iterator);
selected->destroy(selected);
return NULL;
}
/* select a DH-group */
if (select_algo(this_prop->dh_groups, other_prop->dh_groups, &add, &algo, &key_size))
{
if (add)
{
selected->add_algorithm(selected, proto, DIFFIE_HELLMAN_GROUP, algo, 0);
}
}
else
}
else
{
selected->destroy(selected);
return NULL;
}
/* select integrity algorithm */
if (select_algo(this->integrity_algos, other->integrity_algos, &add, &algo, &key_size))
{
if (add)
{
iterator->destroy(iterator);
selected->destroy(selected);
return NULL;
selected->add_algorithm(selected, INTEGRITY_ALGORITHM, algo, key_size);
}
/* select if we use ESNs */
if (select_algo(this_prop->esns, other_prop->esns, &add, &algo, &key_size))
}
else
{
selected->destroy(selected);
return NULL;
}
/* select prf algorithm */
if (select_algo(this->prf_algos, other->prf_algos, &add, &algo, &key_size))
{
if (add)
{
if (add)
{
selected->add_algorithm(selected, proto, EXTENDED_SEQUENCE_NUMBERS, algo, 0);
}
selected->add_algorithm(selected, PSEUDO_RANDOM_FUNCTION, algo, key_size);
}
else
}
else
{
selected->destroy(selected);
return NULL;
}
/* select a DH-group */
if (select_algo(this->dh_groups, other->dh_groups, &add, &algo, &key_size))
{
if (add)
{
iterator->destroy(iterator);
selected->destroy(selected);
return NULL;
selected->add_algorithm(selected, DIFFIE_HELLMAN_GROUP, algo, 0);
}
}
iterator->destroy(iterator);
/* apply spis from "other" */
spi = other->public.get_spi(&(other->public), PROTO_AH);
if (spi)
else
{
selected->set_spi(selected, PROTO_AH, spi);
selected->destroy(selected);
return NULL;
}
spi = other->public.get_spi(&(other->public), PROTO_ESP);
if (spi)
/* select if we use ESNs */
if (select_algo(this->esns, other->esns, &add, &algo, &key_size))
{
selected->set_spi(selected, PROTO_ESP, spi);
if (add)
{
selected->add_algorithm(selected, EXTENDED_SEQUENCE_NUMBERS, algo, 0);
}
}
else
{
selected->destroy(selected);
return NULL;
}
/* apply SPI from "other" */
selected->set_spi(selected, other->spi);
/* everything matched, return new proposal */
return selected;
}
/**
* Implements proposal_t.get_number.
*/
static u_int8_t get_number(private_proposal_t *this)
{
return this->number;
}
/**
* Implements proposal_t.get_protocols.
*/
static void get_protocols(private_proposal_t *this, protocol_id_t ids[2])
static protocol_id_t get_protocol(private_proposal_t *this)
{
iterator_t *iterator = this->protocol_proposals->create_iterator(this->protocol_proposals, TRUE);
u_int i = 0;
ids[0] = PROTO_NONE;
ids[1] = PROTO_NONE;
while (iterator->has_next(iterator))
{
protocol_proposal_t *proto_prop;
iterator->current(iterator, (void**)&proto_prop);
ids[i++] = proto_prop->protocol;
if (i>1)
{
/* should not happen, but who knows */
break;
}
}
iterator->destroy(iterator);
return this->protocol;
}
/**
* Implements proposal_t.set_spi.
*/
static void set_spi(private_proposal_t *this, protocol_id_t proto, u_int64_t spi)
static void set_spi(private_proposal_t *this, u_int64_t spi)
{
protocol_proposal_t *proto_proposal = get_protocol_proposal(this, proto, FALSE);
if (proto_proposal)
{
if (proto == PROTO_AH || proto == PROTO_ESP)
{
*((u_int32_t*)proto_proposal->spi.ptr) = (u_int32_t)spi;
}
else
{
*((u_int64_t*)proto_proposal->spi.ptr) = spi;
}
}
this->spi = spi;
}
/**
* Implements proposal_t.get_spi.
*/
static u_int64_t get_spi(private_proposal_t *this, protocol_id_t proto)
static u_int64_t get_spi(private_proposal_t *this)
{
protocol_proposal_t *proto_proposal = get_protocol_proposal(this, proto, FALSE);
if (proto_proposal)
{
if (proto == PROTO_AH || proto == PROTO_ESP)
{
return (u_int64_t)*((u_int32_t*)proto_proposal->spi.ptr);
}
else
{
return *((u_int64_t*)proto_proposal->spi.ptr);
}
}
return 0;
return this->spi;
}
/**
@ -555,24 +387,15 @@ static void clone_algo_list(linked_list_t *list, linked_list_t *clone_list)
*/
static proposal_t *clone(private_proposal_t *this)
{
private_proposal_t *clone = (private_proposal_t*)proposal_create(this->number);
private_proposal_t *clone = (private_proposal_t*)proposal_create(this->protocol);
iterator_t *iterator = this->protocol_proposals->create_iterator(this->protocol_proposals, TRUE);
while (iterator->has_next(iterator))
{
protocol_proposal_t *proto_prop, *clone_proto_prop;
iterator->current(iterator, (void**)&proto_prop);
clone_proto_prop = get_protocol_proposal(clone, proto_prop->protocol, TRUE);
memcpy(clone_proto_prop->spi.ptr, proto_prop->spi.ptr, clone_proto_prop->spi.len);
clone_algo_list(proto_prop->encryption_algos, clone_proto_prop->encryption_algos);
clone_algo_list(proto_prop->integrity_algos, clone_proto_prop->integrity_algos);
clone_algo_list(proto_prop->prf_algos, clone_proto_prop->prf_algos);
clone_algo_list(proto_prop->dh_groups, clone_proto_prop->dh_groups);
clone_algo_list(proto_prop->esns, clone_proto_prop->esns);
}
iterator->destroy(iterator);
clone_algo_list(this->encryption_algos, clone->encryption_algos);
clone_algo_list(this->integrity_algos, clone->integrity_algos);
clone_algo_list(this->prf_algos, clone->prf_algos);
clone_algo_list(this->dh_groups, clone->dh_groups);
clone_algo_list(this->esns, clone->esns);
clone->spi = this->spi;
return &clone->public;
}
@ -597,46 +420,39 @@ static void free_algo_list(linked_list_t *list)
*/
static void destroy(private_proposal_t *this)
{
while(this->protocol_proposals->get_count(this->protocol_proposals) > 0)
{
protocol_proposal_t *proto_prop;
this->protocol_proposals->remove_last(this->protocol_proposals, (void**)&proto_prop);
free_algo_list(proto_prop->encryption_algos);
free_algo_list(proto_prop->integrity_algos);
free_algo_list(proto_prop->prf_algos);
free_algo_list(proto_prop->dh_groups);
free_algo_list(proto_prop->esns);
free(proto_prop->spi.ptr);
free(proto_prop);
}
this->protocol_proposals->destroy(this->protocol_proposals);
free_algo_list(this->encryption_algos);
free_algo_list(this->integrity_algos);
free_algo_list(this->prf_algos);
free_algo_list(this->dh_groups);
free_algo_list(this->esns);
free(this);
}
/*
* Describtion in header-file
*/
proposal_t *proposal_create(u_int8_t number)
proposal_t *proposal_create(protocol_id_t protocol)
{
private_proposal_t *this = malloc_thing(private_proposal_t);
this->public.add_algorithm = (void (*)(proposal_t*,protocol_id_t,transform_type_t,u_int16_t,size_t))add_algorithm;
this->public.create_algorithm_iterator = (iterator_t* (*)(proposal_t*,protocol_id_t,transform_type_t))create_algorithm_iterator;
this->public.get_algorithm = (bool (*)(proposal_t*,protocol_id_t,transform_type_t,algorithm_t**))get_algorithm;
this->public.add_algorithm = (void (*)(proposal_t*,transform_type_t,u_int16_t,size_t))add_algorithm;
this->public.create_algorithm_iterator = (iterator_t* (*)(proposal_t*,transform_type_t))create_algorithm_iterator;
this->public.get_algorithm = (bool (*)(proposal_t*,transform_type_t,algorithm_t**))get_algorithm;
this->public.select = (proposal_t* (*)(proposal_t*,proposal_t*))select_proposal;
this->public.get_number = (u_int8_t (*)(proposal_t*))get_number;
this->public.get_protocols = (void(*)(proposal_t *this, protocol_id_t ids[2]))get_protocols;
this->public.set_spi = (void(*)(proposal_t*,protocol_id_t,u_int64_t spi))set_spi;
this->public.get_spi = (u_int64_t(*)(proposal_t*,protocol_id_t))get_spi;
this->public.get_protocol = (protocol_id_t(*)(proposal_t*))get_protocol;
this->public.set_spi = (void(*)(proposal_t*,u_int64_t))set_spi;
this->public.get_spi = (u_int64_t(*)(proposal_t*))get_spi;
this->public.clone = (proposal_t*(*)(proposal_t*))clone;
this->public.destroy = (void(*)(proposal_t*))destroy;
/* init private members*/
this->number = number;
this->protocol_proposals = linked_list_create();
this->spi = 0;
this->protocol = protocol;
this->encryption_algos = linked_list_create();
this->integrity_algos = linked_list_create();
this->prf_algos = linked_list_create();
this->dh_groups = linked_list_create();
this->esns = linked_list_create();
return (&this->public);
return &this->public;
}

64
src/charon/config/proposal.h
Unescape View File

@ -123,13 +123,9 @@ typedef struct proposal_t proposal_t;
* @brief Stores a set of algorithms used for an SA.
*
* A proposal stores algorithms for a specific
* protocol. It can store algorithms for more than
* one protocol (e.g. AH and ESP). Then the proposal
* means both protocols must be used.
* A proposal may contain more than one algorithm
* of the same kind. ONE of them can be selected.
*
* @warning This class is NOT thread-save!
* protocol. It can store algorithms for one protocol.
* Proposals with multiple protocols are not supported,
* as it's not specified in RFC4301 anymore.
*
* @b Constructors:
* - proposal_create()
@ -150,25 +146,21 @@ struct proposal_t {
* integrity_algorithm_t, dh_group_number_t and
* extended_sequence_numbers_t.
*
* @warning Do not add while other threads are reading.
*
* @param this calling object
* @param proto desired protocol
* @param type kind of algorithm
* @param alg identifier for algorithm
* @param key_size key size to use
*/
void (*add_algorithm) (proposal_t *this, protocol_id_t proto, transform_type_t type, u_int16_t alg, size_t key_size);
void (*add_algorithm) (proposal_t *this, transform_type_t type, u_int16_t alg, size_t key_size);
/**
* @brief Get an iterator over algorithms for a specifc protocol/algo type.
* @brief Get an iterator over algorithms for a specifc algo type.
*
* @param this calling object
* @param proto desired protocol
* @param type kind of algorithm
* @return iterator over algorithms
* @return iterator over algorithm_t's
*/
iterator_t *(*create_algorithm_iterator) (proposal_t *this, protocol_id_t proto, transform_type_t type);
iterator_t *(*create_algorithm_iterator) (proposal_t *this, transform_type_t type);
/**
* @brief Get the algorithm for a type to use.
@ -177,12 +169,11 @@ struct proposal_t {
* Result is still owned by proposal, do not modify!
*
* @param this calling object
* @param proto desired protocol
* @param type kind of algorithm
* @param[out] algo pointer which receives algorithm and key size
* @return TRUE if algorithm of this kind available
*/
bool (*get_algorithm) (proposal_t *this, protocol_id_t proto, transform_type_t type, algorithm_t** algo);
bool (*get_algorithm) (proposal_t *this, transform_type_t type, algorithm_t** algo);
/**
* @brief Compare two proposal, and select a matching subset.
@ -200,41 +191,28 @@ struct proposal_t {
proposal_t *(*select) (proposal_t *this, proposal_t *other);
/**
* @brief Get the number set on construction.
*
* @param this calling object
* @return number
*/
u_int8_t (*get_number) (proposal_t *this);
/**
* @brief Get the protocol ids in the proposals.
*
* With AH and ESP, there could be two protocols in one
* proposal.
*
* @brief Get the protocol ID of the proposal.
*
* @param this calling object
* @param ids array of protocol ids,
* @return protocol of the proposal
*/
void (*get_protocols) (proposal_t *this, protocol_id_t ids[2]);
protocol_id_t (*get_protocol) (proposal_t *this);
/**
* @brief Get the spi for a specific protocol.
* @brief Get the SPI of the proposal.
*
* @param this calling object
* @param proto AH/ESP
* @return spi for proto
*/
u_int64_t (*get_spi) (proposal_t *this, protocol_id_t proto);
u_int64_t (*get_spi) (proposal_t *this);
/**
* @brief Set the spi for a specific protocol.
* @brief Set the SPI of the proposal.
*
* @param this calling object
* @param proto AH/ESP
* @param spi spi to set for proto
*/
void (*set_spi) (proposal_t *this, protocol_id_t proto, u_int64_t spi);
void (*set_spi) (proposal_t *this, u_int64_t spi);
/**
* @brief Clone a proposal.
@ -253,17 +231,13 @@ struct proposal_t {
};
/**
* @brief Create a child proposal for AH and/or ESP.
*
* Since the order of multiple proposals is important for
* key derivation, we must assign them numbers as they
* appear in the raw payload. Numbering starts at 1.
* @brief Create a child proposal for AH, ESP or IKE.
*
* @param number number of the proposal, as in the payload
* @param protocol protocol, such as PROTO_ESP
* @return proposal_t object
*
* @ingroup config
*/
proposal_t *proposal_create(u_int8_t number);
proposal_t *proposal_create(protocol_id_t protocol);
#endif /* PROPOSAL_H_ */

8
src/charon/encoding/message.c
Unescape View File

@ -187,7 +187,7 @@ static payload_rule_t informational_r_payload_rules[] = {
/**
* Message rule for CREATE_CHILD_SA from initiator.
*/
static payload_rule_t create_child_sa_r_payload_rules[] = {
static payload_rule_t create_child_sa_i_payload_rules[] = {
{NOTIFY,0,MAX_NOTIFY_PAYLOADS,TRUE,FALSE},
{SECURITY_ASSOCIATION,1,1,TRUE,FALSE},
{NONCE,1,1,TRUE,FALSE},
@ -200,7 +200,7 @@ static payload_rule_t create_child_sa_r_payload_rules[] = {
/**
* Message rule for CREATE_CHILD_SA from responder.
*/
static payload_rule_t create_child_sa_i_payload_rules[] = {
static payload_rule_t create_child_sa_r_payload_rules[] = {
{NOTIFY,0,MAX_NOTIFY_PAYLOADS,TRUE,FALSE},
{SECURITY_ASSOCIATION,1,1,TRUE,FALSE},
{NONCE,1,1,TRUE,FALSE},
@ -220,7 +220,9 @@ static message_rule_t message_rules[] = {
{IKE_AUTH,TRUE,TRUE,(sizeof(ike_auth_i_payload_rules)/sizeof(payload_rule_t)),ike_auth_i_payload_rules},
{IKE_AUTH,FALSE,TRUE,(sizeof(ike_auth_r_payload_rules)/sizeof(payload_rule_t)),ike_auth_r_payload_rules},
{INFORMATIONAL,TRUE,TRUE,(sizeof(informational_i_payload_rules)/sizeof(payload_rule_t)),informational_i_payload_rules},
{INFORMATIONAL,FALSE,TRUE,(sizeof(informational_r_payload_rules)/sizeof(payload_rule_t)),informational_r_payload_rules}
{INFORMATIONAL,FALSE,TRUE,(sizeof(informational_r_payload_rules)/sizeof(payload_rule_t)),informational_r_payload_rules},
{CREATE_CHILD_SA,TRUE,TRUE,(sizeof(create_child_sa_i_payload_rules)/sizeof(payload_rule_t)),create_child_sa_i_payload_rules},
{CREATE_CHILD_SA,FALSE,TRUE,(sizeof(create_child_sa_r_payload_rules)/sizeof(payload_rule_t)),create_child_sa_r_payload_rules},
};

76
src/charon/encoding/payloads/notify_payload.c
Unescape View File

@ -173,12 +173,25 @@ encoding_rule_t notify_payload_encodings[] = {
*/
static status_t verify(private_notify_payload_t *this)
{
if (this->protocol_id > 3)
switch (this->protocol_id)
{
/* reserved for future use */
return FAILED;
case PROTO_IKE:
if (this->spi.len != 8)
{
return FAILED;
}
break;
case PROTO_AH:
case PROTO_ESP:
if (this->spi.len != 4)
{
return FAILED;
}
break;
default:
return FAILED;
}
/* TODO: Check all kinds of notify */
if (this->notify_message_type == INVALID_KE_PAYLOAD)
@ -265,9 +278,7 @@ static void compute_length (private_notify_payload_t *this)
{
length += this->spi.len;
}
this->payload_length = length;
}
/**
@ -289,7 +300,7 @@ static void set_protocol_id(private_notify_payload_t *this, u_int8_t protocol_id
/**
* Implementation of notify_payload_t.get_notify_message_type.
*/
static u_int16_t get_notify_message_type(private_notify_payload_t *this)
static notify_message_type_t get_notify_message_type(private_notify_payload_t *this)
{
return this->notify_message_type;
}
@ -305,32 +316,42 @@ static void set_notify_message_type(private_notify_payload_t *this, u_int16_t no
/**
* Implementation of notify_payload_t.get_spi.
*/
static chunk_t get_spi(private_notify_payload_t *this)
static u_int64_t get_spi(private_notify_payload_t *this)
{
return (this->spi);
switch (this->protocol_id)
{
case PROTO_IKE:
return *((u_int64_t*)this->spi.ptr);
case PROTO_AH:
case PROTO_ESP:
return *((u_int32_t*)this->spi.ptr);
default:
return 0;
}
}
/**
* Implementation of notify_payload_t.set_spi.
*/
static void set_spi(private_notify_payload_t *this, chunk_t spi)
static void set_spi(private_notify_payload_t *this, u_int64_t spi)
{
/* destroy existing data first */
if (this->spi.ptr != NULL)
chunk_free(&this->spi);
switch (this->protocol_id)
{
/* free existing value */
free(this->spi.ptr);
this->spi.ptr = NULL;
this->spi.len = 0;
case PROTO_IKE:
this->spi = chunk_alloc(8);
*((u_int64_t*)this->spi.ptr) = spi;
break;
case PROTO_AH:
case PROTO_ESP:
this->spi = chunk_alloc(4);
*((u_int32_t*)this->spi.ptr) = spi;
break;
default:
break;
}
this->spi.ptr = clalloc(spi.ptr,spi.len);
this->spi.len = spi.len;
this->spi_size = spi.len;
this->spi_size = this->spi.len;
this->compute_length(this);
}
/**
@ -376,7 +397,6 @@ static status_t destroy(private_notify_payload_t *this)
{
free(this->spi.ptr);
}
free(this);
return SUCCESS;
}
@ -400,10 +420,10 @@ notify_payload_t *notify_payload_create()
/* public functions */
this->public.get_protocol_id = (u_int8_t (*) (notify_payload_t *)) get_protocol_id;
this->public.set_protocol_id = (void (*) (notify_payload_t *,u_int8_t)) set_protocol_id;
this->public.get_notify_message_type = (u_int16_t (*) (notify_payload_t *)) get_notify_message_type;
this->public.set_notify_message_type = (void (*) (notify_payload_t *,u_int16_t)) set_notify_message_type;
this->public.get_spi = (chunk_t (*) (notify_payload_t *)) get_spi;
this->public.set_spi = (void (*) (notify_payload_t *,chunk_t)) set_spi;
this->public.get_notify_message_type = (notify_message_type_t (*) (notify_payload_t *)) get_notify_message_type;
this->public.set_notify_message_type = (void (*) (notify_payload_t *,notify_message_type_t)) set_notify_message_type;
this->public.get_spi = (u_int64_t (*) (notify_payload_t *)) get_spi;
this->public.set_spi = (void (*) (notify_payload_t *,u_int64_t)) set_spi;
this->public.get_notification_data = (chunk_t (*) (notify_payload_t *)) get_notification_data;
this->public.set_notification_data = (void (*) (notify_payload_t *,chunk_t)) set_notification_data;
this->public.destroy = (void (*) (notify_payload_t *)) destroy;

37
src/charon/encoding/payloads/notify_payload.h
Unescape View File

@ -64,7 +64,8 @@ enum notify_message_type_t {
INVALID_SELECTORS = 39,
INITIAL_CONTACT = 16384,
SET_WINDOW_SIZE = 16385
SET_WINDOW_SIZE = 16385,
REKEY_SA = 16393,
};
/**
@ -107,46 +108,42 @@ struct notify_payload_t {
/**
* @brief Sets the protocol id of this payload.
*
* @param this calling notify_payload_t object
* @param protocol_id protocol id to set
* @param this calling notify_payload_t object
* @param protocol_id protocol id to set
*/
void (*set_protocol_id) (notify_payload_t *this, u_int8_t protocol_id);
/**
* @brief Gets the notify message type of this payload.
*
* @param this calling notify_payload_t object
* @return notify message type of this payload
* @param this calling notify_payload_t object
* @return notify message type of this payload
*/
u_int16_t (*get_notify_message_type) (notify_payload_t *this);
notify_message_type_t (*get_notify_message_type) (notify_payload_t *this);
/**
* @brief Sets notify message type of this payload.
*
* @param this calling notify_payload_t object
* @param notify_message_type notify message type to set
* @param this calling notify_payload_t object
* @param type notify message type to set
*/
void (*set_notify_message_type) (notify_payload_t *this, u_int16_t notify_message_type);
void (*set_notify_message_type) (notify_payload_t *this, notify_message_type_t type);
/**
* @brief Returns the currently set spi of this payload.
*
* @warning Returned data are not copied.
*
*
* @param this calling notify_payload_t object
* @return chunk_t pointing to the value
* @return SPI value
*/
chunk_t (*get_spi) (notify_payload_t *this);
u_int64_t (*get_spi) (notify_payload_t *this);
/**
* @brief Sets the spi of this payload.
*
* @warning Value is getting copied.
*
* @param this calling notify_payload_t object
* @param spi chunk_t pointing to the value to set
* @param this calling notify_payload_t object
* @param spi SPI value
*/
void (*set_spi) (notify_payload_t *this, chunk_t spi);
void (*set_spi) (notify_payload_t *this, u_int64_t spi);
/**
* @brief Returns the currently set notification data of payload.
@ -163,7 +160,7 @@ struct notify_payload_t {
*
* @warning Value is getting copied.
*
* @param this calling notify_payload_t object
* @param this calling notify_payload_t object
* @param notification_data chunk_t pointing to the value to set
*/
void (*set_notification_data) (notify_payload_t *this, chunk_t notification_data);

59
src/charon/encoding/payloads/proposal_substructure.c
Unescape View File

@ -61,7 +61,7 @@ struct private_proposal_substructure_t {
/**
* Proposal number.
*/
u_int8_t proposal_number;
u_int8_t proposal_number;
/**
* Protocol ID.
@ -404,14 +404,17 @@ static size_t get_spi_size (private_proposal_substructure_t *this)
}
/**
* Implementation of proposal_substructure_t.add_to_proposal.
* Implementation of proposal_substructure_t.get_proposal.
*/
void add_to_proposal(private_proposal_substructure_t *this, proposal_t *proposal)
proposal_t* get_proposal(private_proposal_substructure_t *this)
{
iterator_t *iterator = this->transforms->create_iterator(this->transforms, TRUE);
u_int32_t spi;
iterator_t *iterator;
proposal_t *proposal;
u_int64_t spi;
proposal = proposal_create(this->protocol_id);
iterator = this->transforms->create_iterator(this->transforms, TRUE);
while (iterator->has_next(iterator))
{
transform_substructure_t *transform;
@ -425,13 +428,24 @@ void add_to_proposal(private_proposal_substructure_t *this, proposal_t *proposal
transform_id = transform->get_transform_id(transform);
transform->get_key_length(transform, &key_length);
proposal->add_algorithm(proposal, this->protocol_id, transform_type, transform_id, key_length);
proposal->add_algorithm(proposal, transform_type, transform_id, key_length);
}
iterator->destroy(iterator);
spi = *((u_int32_t*)this->spi.ptr);
switch (this->spi.len)
{
case 4:
spi = *((u_int32_t*)this->spi.ptr);
break;
case 8:
spi = *((u_int64_t*)this->spi.ptr);
break;
default:
spi = 0;
}
proposal->set_spi(proposal, spi);
proposal->set_spi(proposal, this->protocol_id, spi);
return proposal;
}
/**
@ -527,7 +541,7 @@ proposal_substructure_t *proposal_substructure_create()
this->public.get_protocol_id = (u_int8_t (*) (proposal_substructure_t *)) get_protocol_id;
this->public.get_info_for_transform_type = (status_t (*) (proposal_substructure_t *,transform_type_t,u_int16_t *, u_int16_t *))get_info_for_transform_type;
this->public.set_is_last_proposal = (void (*) (proposal_substructure_t *,bool)) set_is_last_proposal;
this->public.add_to_proposal = (void (*) (proposal_substructure_t*,proposal_t*))add_to_proposal;
this->public.get_proposal = (proposal_t* (*) (proposal_substructure_t*))get_proposal;
this->public.set_spi = (void (*) (proposal_substructure_t *,chunk_t))set_spi;
this->public.get_spi = (chunk_t (*) (proposal_substructure_t *)) get_spi;
this->public.get_transform_count = (size_t (*) (proposal_substructure_t *)) get_transform_count;
@ -556,7 +570,7 @@ proposal_substructure_t *proposal_substructure_create()
/*
* Described in header.
*/
proposal_substructure_t *proposal_substructure_create_from_proposal(proposal_t *proposal, protocol_id_t proto)
proposal_substructure_t *proposal_substructure_create_from_proposal(proposal_t *proposal)
{
private_proposal_substructure_t *this = (private_proposal_substructure_t*)proposal_substructure_create();
iterator_t *iterator;
@ -564,7 +578,7 @@ proposal_substructure_t *proposal_substructure_create_from_proposal(proposal_t *
transform_substructure_t *transform;
/* encryption algorithm is only availble in ESP */
iterator = proposal->create_algorithm_iterator(proposal, proto, ENCRYPTION_ALGORITHM);
iterator = proposal->create_algorithm_iterator(proposal, ENCRYPTION_ALGORITHM);
while (iterator->has_next(iterator))
{
iterator->current(iterator, (void**)&algo);
@ -574,7 +588,7 @@ proposal_substructure_t *proposal_substructure_create_from_proposal(proposal_t *
iterator->destroy(iterator);
/* integrity algorithms */
iterator = proposal->create_algorithm_iterator(proposal, proto, INTEGRITY_ALGORITHM);
iterator = proposal->create_algorithm_iterator(proposal, INTEGRITY_ALGORITHM);
while (iterator->has_next(iterator))
{
algorithm_t *algo;
@ -585,7 +599,7 @@ proposal_substructure_t *proposal_substructure_create_from_proposal(proposal_t *
iterator->destroy(iterator);
/* prf algorithms */
iterator = proposal->create_algorithm_iterator(proposal, proto, PSEUDO_RANDOM_FUNCTION);
iterator = proposal->create_algorithm_iterator(proposal, PSEUDO_RANDOM_FUNCTION);
while (iterator->has_next(iterator))
{
algorithm_t *algo;
@ -596,7 +610,7 @@ proposal_substructure_t *proposal_substructure_create_from_proposal(proposal_t *
iterator->destroy(iterator);
/* dh groups */
iterator = proposal->create_algorithm_iterator(proposal, proto, DIFFIE_HELLMAN_GROUP);
iterator = proposal->create_algorithm_iterator(proposal, DIFFIE_HELLMAN_GROUP);
while (iterator->has_next(iterator))
{
algorithm_t *algo;
@ -607,7 +621,7 @@ proposal_substructure_t *proposal_substructure_create_from_proposal(proposal_t *
iterator->destroy(iterator);
/* extended sequence numbers */
iterator = proposal->create_algorithm_iterator(proposal, proto, EXTENDED_SEQUENCE_NUMBERS);
iterator = proposal->create_algorithm_iterator(proposal, EXTENDED_SEQUENCE_NUMBERS);
while (iterator->has_next(iterator))
{
algorithm_t *algo;
@ -618,12 +632,19 @@ proposal_substructure_t *proposal_substructure_create_from_proposal(proposal_t *
iterator->destroy(iterator);
/* take over general infos */
this->spi_size = proto == PROTO_IKE ? 8 : 4;
this->spi_size = proposal->get_protocol(proposal) == PROTO_IKE ? 8 : 4;
this->spi.len = this->spi_size;
this->spi.ptr = malloc(this->spi_size);
*((u_int32_t*)this->spi.ptr) = proposal->get_spi(proposal, proto);
this->proposal_number = proposal->get_number(proposal);
this->protocol_id = proto;
if (this->spi_size == 8)
{
*((u_int64_t*)this->spi.ptr) = proposal->get_spi(proposal);
}
else
{
*((u_int32_t*)this->spi.ptr) = proposal->get_spi(proposal);
}
this->proposal_number = 0;
this->protocol_id = proposal->get_protocol(proposal);
return &(this->public);
}

25
src/charon/encoding/payloads/proposal_substructure.h
Unescape View File

@ -174,16 +174,12 @@ struct proposal_substructure_t {
void (*set_spi) (proposal_substructure_t *this, chunk_t spi);
/**
* @brief Add this proposal_substructure to a proposal.
*
* Since a proposal_t may contain the data of multiple
* proposal_sbustructure_t's, it may be necessary to call
* the function multiple times with the same proposal.
* @brief Get a proposal_t from the propsal_substructure_t.
*
* @param this calling proposal_substructure_t object
* @param proposal proposal where the data should be added
* @return proposal_t
*/
void (*add_to_proposal) (proposal_substructure_t *this, proposal_t *proposal);
proposal_t * (*get_proposal) (proposal_substructure_t *this);
/**
* @brief Clones an proposal_substructure_t object.
@ -211,21 +207,14 @@ struct proposal_substructure_t {
proposal_substructure_t *proposal_substructure_create(void);
/**
* @brief Creates a proposal substructure from a proposal.
*
* Since a child proposal may contain data for both AH and ESP,
* the protocol must be specified. If the proposal does not contain
* data for proto, NULL is returned. Call twice, once with AH, once
* with ESP, with the same proposal to build the two substructures
* for it.
*
* @brief Creates a proposal_substructure_t from a proposal_t.
*
* @param proposal proposal to build a substruct out of it
* @param proto for which protocol the substructure should be built
* @return proposal_substructure_t object, or NULL
* @return proposal_substructure_t object
*
* @ingroup payloads
*/
proposal_substructure_t *proposal_substructure_create_from_proposal(proposal_t *proposal, protocol_id_t proto);
proposal_substructure_t *proposal_substructure_create_from_proposal(proposal_t *proposal);
#endif /*PROPOSAL_SUBSTRUCTURE_H_*/

64
src/charon/encoding/payloads/sa_payload.c
Unescape View File

@ -232,18 +232,20 @@ static iterator_t *create_proposal_substructure_iterator (private_sa_payload_t *
/**
* Implementation of sa_payload_t.add_proposal_substructure.
*/
static void add_proposal_substructure (private_sa_payload_t *this,proposal_substructure_t *proposal)
static void add_proposal_substructure(private_sa_payload_t *this,proposal_substructure_t *proposal)
{
status_t status;
if (this->proposals->get_count(this->proposals) > 0)
u_int proposal_count = this->proposals->get_count(this->proposals);
if (proposal_count > 0)
{
proposal_substructure_t *last_proposal;
status = this->proposals->get_last(this<