From 8d77eddec2bddbbf44eeec1b95c44a69426c87a6 Mon Sep 17 00:00:00 2001 From: Martin Willi Date: Wed, 7 Jun 2006 13:26:23 +0000 Subject: [PATCH] further work for rekeying: get liftimes from policy added new state initiation of rekeying done proposal redone: removed support for AH+ESP proposals --- src/charon/Makefile.am | 1 + src/charon/config/connections/connection.c | 9 +- src/charon/config/policies/policy.c | 18 + src/charon/config/policies/policy.h | 19 + src/charon/config/proposal.c | 446 ++++--------- src/charon/config/proposal.h | 64 +- src/charon/encoding/message.c | 8 +- src/charon/encoding/payloads/notify_payload.c | 76 ++- src/charon/encoding/payloads/notify_payload.h | 37 +- .../encoding/payloads/proposal_substructure.c | 59 +- .../encoding/payloads/proposal_substructure.h | 25 +- src/charon/encoding/payloads/sa_payload.c | 64 +- src/charon/queues/jobs/rekey_child_sa_job.c | 4 +- src/charon/queues/jobs/rekey_child_sa_job.h | 5 +- src/charon/sa/child_sa.c | 449 ++++++------- src/charon/sa/child_sa.h | 28 +- src/charon/sa/ike_sa.c | 594 ++++++++++++------ src/charon/sa/ike_sa.h | 28 + .../sa/states/create_child_sa_requested.c | 112 ++++ .../sa/states/create_child_sa_requested.h | 57 ++ src/charon/sa/states/ike_sa_established.c | 127 +--- src/charon/sa/states/ike_sa_init_requested.c | 4 +- src/charon/sa/states/ike_sa_init_responded.c | 6 +- src/charon/sa/states/initiator_init.c | 14 +- src/charon/sa/states/responder_init.c | 2 +- src/charon/sa/states/state.c | 1 + src/charon/sa/states/state.h | 85 ++- src/charon/testing/Makefile.am | 2 +- src/charon/testing/child_sa_test.c | 12 +- src/charon/testing/connection_test.c | 40 +- src/charon/testing/generator_test.c | 142 +---- src/charon/testing/parser_test.c | 5 +- src/charon/testing/policy_test.c | 180 +++--- src/charon/testing/proposal_test.c | 48 +- src/charon/threads/kernel_interface.c | 10 +- src/charon/threads/stroke_interface.c | 31 +- 36 files changed, 1403 insertions(+), 1409 deletions(-) create mode 100644 src/charon/sa/states/create_child_sa_requested.c create mode 100644 src/charon/sa/states/create_child_sa_requested.h diff --git a/src/charon/Makefile.am b/src/charon/Makefile.am index d49bcd32b..a94a6dce4 100644 --- a/src/charon/Makefile.am +++ b/src/charon/Makefile.am @@ -13,6 +13,7 @@ sa/states/ike_sa_init_responded.c sa/states/ike_sa_established.c sa/states/ike_s sa/states/responder_init.c sa/states/responder_init.h sa/states/initiator_init.c sa/states/initiator_init.h \ sa/states/ike_sa_init_responded.h sa/states/ike_auth_requested.c sa/states/ike_auth_requested.h \ sa/states/delete_requested.h sa/states/delete_requested.c \ +sa/states/create_child_sa_requested.c sa/states/create_child_sa_requested.h \ sa/child_sa.c sa/child_sa.h sa/ike_sa.c sa/ike_sa.h sa/ike_sa_manager.c sa/ike_sa_manager.h \ sa/ike_sa_id.c sa/ike_sa_id.h sa/authenticator.c sa/authenticator.h encoding/payloads/encryption_payload.c \ encoding/payloads/cert_payload.c encoding/payloads/payload.h encoding/payloads/traffic_selector_substructure.c \ diff --git a/src/charon/config/connections/connection.c b/src/charon/config/connections/connection.c index 16dc75baf..9893c8a4c 100644 --- a/src/charon/config/connections/connection.c +++ b/src/charon/config/connections/connection.c @@ -155,7 +155,7 @@ static proposal_t *select_proposal(private_connection_t *this, linked_list_t *pr { supplied_iter->reset(supplied_iter); stored_iter->current(stored_iter, (void**)&stored); - + while (supplied_iter->has_next(supplied_iter)) { supplied_iter->current(supplied_iter, (void**)&supplied); @@ -169,7 +169,6 @@ static proposal_t *select_proposal(private_connection_t *this, linked_list_t *pr } } } - /* no proposal match :-(, will result in a NO_PROPOSAL_CHOSEN... */ stored_iter->destroy(stored_iter); supplied_iter->destroy(supplied_iter); @@ -206,7 +205,7 @@ static diffie_hellman_group_t get_dh_group(private_connection_t *this) while (iterator->has_next(iterator)) { iterator->current(iterator, (void**)&proposal); - proposal->get_algorithm(proposal, PROTO_IKE, DIFFIE_HELLMAN_GROUP, &algo); + proposal->get_algorithm(proposal, DIFFIE_HELLMAN_GROUP, &algo); if (algo) { iterator->destroy(iterator); @@ -230,7 +229,7 @@ static bool check_dh_group(private_connection_t *this, diffie_hellman_group_t dh while (prop_iter->has_next(prop_iter)) { prop_iter->current(prop_iter, (void**)&proposal); - alg_iter = proposal->create_algorithm_iterator(proposal, PROTO_IKE, DIFFIE_HELLMAN_GROUP); + alg_iter = proposal->create_algorithm_iterator(proposal, DIFFIE_HELLMAN_GROUP); while (alg_iter->has_next(alg_iter)) { alg_iter->current(alg_iter, (void**)&algo); @@ -322,7 +321,7 @@ connection_t * connection_create(char *name, bool ikev2, host_t *my_host, host_t this->my_host = my_host; this->other_host = other_host; this->auth_method = auth_method; - + this->proposals = linked_list_create(); return (&this->public); diff --git a/src/charon/config/policies/policy.c b/src/charon/config/policies/policy.c index 94a6dea83..ac30afe74 100644 --- a/src/charon/config/policies/policy.c +++ b/src/charon/config/policies/policy.c @@ -288,6 +288,22 @@ static void add_proposal(private_policy_t *this, proposal_t *proposal) this->proposals->insert_last(this->proposals, (void*)proposal); } +/** + * Implementation of policy_t.get_soft_lifetime + */ +static u_int32_t get_soft_lifetime(policy_t *this) +{ + return 0; /*5 + random() % 5; */ +} + +/** + * Implementation of policy_t.get_hard_lifetime + */ +static u_int32_t get_hard_lifetime(policy_t *this) +{ + return 0; /*20; */ +} + /** * Implements policy_t.clone. */ @@ -396,6 +412,8 @@ policy_t *policy_create(char *name, identification_t *my_id, identification_t *o this->public.add_my_traffic_selector = (void(*)(policy_t*,traffic_selector_t*))add_my_traffic_selector; this->public.add_other_traffic_selector = (void(*)(policy_t*,traffic_selector_t*))add_other_traffic_selector; this->public.add_proposal = (void(*)(policy_t*,proposal_t*))add_proposal; + this->public.get_soft_lifetime = (u_int32_t (*) (policy_t *))get_soft_lifetime; + this->public.get_hard_lifetime = (u_int32_t (*) (policy_t *))get_hard_lifetime; this->public.clone = (policy_t*(*)(policy_t*))clone; this->public.destroy = (void(*)(policy_t*))destroy; diff --git a/src/charon/config/policies/policy.h b/src/charon/config/policies/policy.h index 5956d9864..b9d4e94a6 100644 --- a/src/charon/config/policies/policy.h +++ b/src/charon/config/policies/policy.h @@ -229,6 +229,25 @@ struct policy_t { */ void (*add_proposal) (policy_t *this, proposal_t *proposal); + /** + * @brief Get the lifetime of a policy, before rekeying starts. + * + * A call to this function automatically adds a jitter to + * avoid simultanous rekeying. + * + * @param this policy + * @return lifetime in seconds + */ + u_int32_t (*get_soft_lifetime) (policy_t *this); + + /** + * @brief Get the lifetime of a policy, before SA gets deleted. + * + * @param this policy + * @return lifetime in seconds + */ + u_int32_t (*get_hard_lifetime) (policy_t *this); + /** * @brief Clone a policy. * diff --git a/src/charon/config/proposal.c b/src/charon/config/proposal.c index cb71a756a..09fa150db 100644 --- a/src/charon/config/proposal.c +++ b/src/charon/config/proposal.c @@ -62,13 +62,18 @@ mapping_t extended_sequence_numbers_m[] = { {MAPPING_END, NULL} }; - -typedef struct protocol_proposal_t protocol_proposal_t; +typedef struct private_proposal_t private_proposal_t; /** - * substructure which holds all data algos for a specific protocol + * Private data of an proposal_t object */ -struct protocol_proposal_t { +struct private_proposal_t { + + /** + * Public part + */ + proposal_t public; + /** * protocol (ESP or AH) */ @@ -96,85 +101,15 @@ struct protocol_proposal_t { /** * priority ordered list of extended sequence number flags - */ + */ linked_list_t *esns; /** * senders SPI */ - chunk_t spi; + u_int64_t spi; }; - -typedef struct private_proposal_t private_proposal_t; - -/** - * Private data of an proposal_t object - */ -struct private_proposal_t { - - /** - * Public part - */ - proposal_t public; - - /** - * number of this proposal, as used in the payload - */ - u_int8_t number; - - /** - * list of protocol_proposal_t's - */ - linked_list_t *protocol_proposals; -}; - -/** - * Look up a protocol_proposal, or create one if necessary... - */ -static protocol_proposal_t *get_protocol_proposal(private_proposal_t *this, protocol_id_t proto, bool create) -{ - protocol_proposal_t *proto_proposal = NULL, *current_proto_proposal;; - iterator_t *iterator; - - /* find our protocol in the proposals */ - iterator = this->protocol_proposals->create_iterator(this->protocol_proposals, TRUE); - while (iterator->has_next(iterator)) - { - iterator->current(iterator, (void**)¤t_proto_proposal); - if (current_proto_proposal->protocol == proto) - { - proto_proposal = current_proto_proposal; - break; - } - } - iterator->destroy(iterator); - - if (!proto_proposal && create) - { - /* nope, create a new one */ - proto_proposal = malloc_thing(protocol_proposal_t); - proto_proposal->protocol = proto; - proto_proposal->encryption_algos = linked_list_create(); - proto_proposal->integrity_algos = linked_list_create(); - proto_proposal->prf_algos = linked_list_create(); - proto_proposal->dh_groups = linked_list_create(); - proto_proposal->esns = linked_list_create(); - if (proto == PROTO_IKE) - { - proto_proposal->spi.len = 8; - } - else - { - proto_proposal->spi.len = 4; - } - proto_proposal->spi.ptr = malloc(proto_proposal->spi.len); - /* add to the list */ - this->protocol_proposals->insert_last(this->protocol_proposals, (void*)proto_proposal); - } - return proto_proposal; -} - /** * Add algorithm/keysize to a algorithm list */ @@ -190,26 +125,24 @@ static void add_algo(linked_list_t *list, u_int8_t algo, size_t key_size) /** * Implements proposal_t.add_algorithm */ -static void add_algorithm(private_proposal_t *this, protocol_id_t proto, transform_type_t type, u_int16_t algo, size_t key_size) +static void add_algorithm(private_proposal_t *this, transform_type_t type, u_int16_t algo, size_t key_size) { - protocol_proposal_t *proto_proposal = get_protocol_proposal(this, proto, TRUE); - switch (type) { case ENCRYPTION_ALGORITHM: - add_algo(proto_proposal->encryption_algos, algo, key_size); + add_algo(this->encryption_algos, algo, key_size); break; case INTEGRITY_ALGORITHM: - add_algo(proto_proposal->integrity_algos, algo, key_size); + add_algo(this->integrity_algos, algo, key_size); break; case PSEUDO_RANDOM_FUNCTION: - add_algo(proto_proposal->prf_algos, algo, key_size); + add_algo(this->prf_algos, algo, key_size); break; case DIFFIE_HELLMAN_GROUP: - add_algo(proto_proposal->dh_groups, algo, 0); + add_algo(this->dh_groups, algo, 0); break; case EXTENDED_SEQUENCE_NUMBERS: - add_algo(proto_proposal->esns, algo, 0); + add_algo(this->esns, algo, 0); break; default: break; @@ -219,31 +152,25 @@ static void add_algorithm(private_proposal_t *this, protocol_id_t proto, transfo /** * Implements proposal_t.get_algorithm. */ -static bool get_algorithm(private_proposal_t *this, protocol_id_t proto, transform_type_t type, algorithm_t** algo) +static bool get_algorithm(private_proposal_t *this, transform_type_t type, algorithm_t** algo) { - linked_list_t * list; - protocol_proposal_t *proto_proposal = get_protocol_proposal(this, proto, FALSE); - - if (proto_proposal == NULL) - { - return FALSE; - } + linked_list_t *list; switch (type) { case ENCRYPTION_ALGORITHM: - list = proto_proposal->encryption_algos; + list = this->encryption_algos; break; case INTEGRITY_ALGORITHM: - list = proto_proposal->integrity_algos; + list = this->integrity_algos; break; case PSEUDO_RANDOM_FUNCTION: - list = proto_proposal->prf_algos; + list = this->prf_algos; break; case DIFFIE_HELLMAN_GROUP: - list = proto_proposal->dh_groups; + list = this->dh_groups; break; case EXTENDED_SEQUENCE_NUMBERS: - list = proto_proposal->esns; + list = this->esns; break; default: return FALSE; @@ -258,26 +185,20 @@ static bool get_algorithm(private_proposal_t *this, protocol_id_t proto, transfo /** * Implements proposal_t.create_algorithm_iterator. */ -static iterator_t *create_algorithm_iterator(private_proposal_t *this, protocol_id_t proto, transform_type_t type) +static iterator_t *create_algorithm_iterator(private_proposal_t *this, transform_type_t type) { - protocol_proposal_t *proto_proposal = get_protocol_proposal(this, proto, FALSE); - if (proto_proposal == NULL) - { - return NULL; - } - switch (type) { case ENCRYPTION_ALGORITHM: - return proto_proposal->encryption_algos->create_iterator(proto_proposal->encryption_algos, TRUE); + return this->encryption_algos->create_iterator(this->encryption_algos, TRUE); case INTEGRITY_ALGORITHM: - return proto_proposal->integrity_algos->create_iterator(proto_proposal->integrity_algos, TRUE); + return this->integrity_algos->create_iterator(this->integrity_algos, TRUE); case PSEUDO_RANDOM_FUNCTION: - return proto_proposal->prf_algos->create_iterator(proto_proposal->prf_algos, TRUE); + return this->prf_algos->create_iterator(this->prf_algos, TRUE); case DIFFIE_HELLMAN_GROUP: - return proto_proposal->dh_groups->create_iterator(proto_proposal->dh_groups, TRUE); + return this->dh_groups->create_iterator(this->dh_groups, TRUE); case EXTENDED_SEQUENCE_NUMBERS: - return proto_proposal->esns->create_iterator(proto_proposal->esns, TRUE); + return this->esns->create_iterator(this->esns, TRUE); default: break; } @@ -336,201 +257,112 @@ static proposal_t *select_proposal(private_proposal_t *this, private_proposal_t proposal_t *selected; u_int16_t algo; size_t key_size; - iterator_t *iterator; - protocol_proposal_t *this_prop, *other_prop; - protocol_id_t proto; bool add; u_int64_t spi; - /* empty proposal? no match */ - if (this->protocol_proposals->get_count(this->protocol_proposals) == 0 || - other->protocol_proposals->get_count(other->protocol_proposals) == 0) - { - return NULL; - } - /* they MUST have the same amount of protocols */ - if (this->protocol_proposals->get_count(this->protocol_proposals) != - other->protocol_proposals->get_count(other->protocol_proposals)) + /* check protocol */ + if (this->protocol != other->protocol) { return NULL; } - selected = proposal_create(this->number); + selected = proposal_create(this->protocol); - /* iterate over supplied proposals */ - iterator = other->protocol_proposals->create_iterator(other->protocol_proposals, TRUE); - while (iterator->has_next(iterator)) + /* select encryption algorithm */ + if (select_algo(this->encryption_algos, other->encryption_algos, &add, &algo, &key_size)) { - iterator->current(iterator, (void**)&other_prop); - /* get the proposal with the same protocol */ - proto = other_prop->protocol; - this_prop = get_protocol_proposal(this, proto, FALSE); - - if (this_prop == NULL) + if (add) { - iterator->destroy(iterator); - selected->destroy(selected); - return NULL; - } - - /* select encryption algorithm */ - if (select_algo(this_prop->encryption_algos, other_prop->encryption_algos, &add, &algo, &key_size)) - { - if (add) - { - selected->add_algorithm(selected, proto, ENCRYPTION_ALGORITHM, algo, key_size); - } - } - else - { - iterator->destroy(iterator); - selected->destroy(selected); - return NULL; - } - /* select integrity algorithm */ - if (select_algo(this_prop->integrity_algos, other_prop->integrity_algos, &add, &algo, &key_size)) - { - if (add) - { - selected->add_algorithm(selected, proto, INTEGRITY_ALGORITHM, algo, key_size); - } - } - else - { - iterator->destroy(iterator); - selected->destroy(selected); - return NULL; - } - /* select prf algorithm */ - if (select_algo(this_prop->prf_algos, other_prop->prf_algos, &add, &algo, &key_size)) - { - if (add) - { - selected->add_algorithm(selected, proto, PSEUDO_RANDOM_FUNCTION, algo, key_size); - } - } - else - { - iterator->destroy(iterator); - selected->destroy(selected); - return NULL; - } - /* select a DH-group */ - if (select_algo(this_prop->dh_groups, other_prop->dh_groups, &add, &algo, &key_size)) - { - if (add) - { - selected->add_algorithm(selected, proto, DIFFIE_HELLMAN_GROUP, algo, 0); - } - } - else - { - iterator->destroy(iterator); - selected->destroy(selected); - return NULL; - } - /* select if we use ESNs */ - if (select_algo(this_prop->esns, other_prop->esns, &add, &algo, &key_size)) - { - if (add) - { - selected->add_algorithm(selected, proto, EXTENDED_SEQUENCE_NUMBERS, algo, 0); - } - } - else - { - iterator->destroy(iterator); - selected->destroy(selected); - return NULL; + selected->add_algorithm(selected, ENCRYPTION_ALGORITHM, algo, key_size); } } - iterator->destroy(iterator); + else + { + selected->destroy(selected); + return NULL; + } + /* select integrity algorithm */ + if (select_algo(this->integrity_algos, other->integrity_algos, &add, &algo, &key_size)) + { + if (add) + { + selected->add_algorithm(selected, INTEGRITY_ALGORITHM, algo, key_size); + } + } + else + { + selected->destroy(selected); + return NULL; + } + /* select prf algorithm */ + if (select_algo(this->prf_algos, other->prf_algos, &add, &algo, &key_size)) + { + if (add) + { + selected->add_algorithm(selected, PSEUDO_RANDOM_FUNCTION, algo, key_size); + } + } + else + { + selected->destroy(selected); + return NULL; + } + /* select a DH-group */ + if (select_algo(this->dh_groups, other->dh_groups, &add, &algo, &key_size)) + { + if (add) + { + selected->add_algorithm(selected, DIFFIE_HELLMAN_GROUP, algo, 0); + } + } + else + { + selected->destroy(selected); + return NULL; + } + /* select if we use ESNs */ + if (select_algo(this->esns, other->esns, &add, &algo, &key_size)) + { + if (add) + { + selected->add_algorithm(selected, EXTENDED_SEQUENCE_NUMBERS, algo, 0); + } + } + else + { + selected->destroy(selected); + return NULL; + } - /* apply spis from "other" */ - spi = other->public.get_spi(&(other->public), PROTO_AH); - if (spi) - { - selected->set_spi(selected, PROTO_AH, spi); - } - spi = other->public.get_spi(&(other->public), PROTO_ESP); - if (spi) - { - selected->set_spi(selected, PROTO_ESP, spi); - } + /* apply SPI from "other" */ + selected->set_spi(selected, other->spi); /* everything matched, return new proposal */ return selected; } -/** - * Implements proposal_t.get_number. - */ -static u_int8_t get_number(private_proposal_t *this) -{ - return this->number; -} - /** * Implements proposal_t.get_protocols. */ -static void get_protocols(private_proposal_t *this, protocol_id_t ids[2]) +static protocol_id_t get_protocol(private_proposal_t *this) { - iterator_t *iterator = this->protocol_proposals->create_iterator(this->protocol_proposals, TRUE); - u_int i = 0; - - ids[0] = PROTO_NONE; - ids[1] = PROTO_NONE; - while (iterator->has_next(iterator)) - { - protocol_proposal_t *proto_prop; - iterator->current(iterator, (void**)&proto_prop); - ids[i++] = proto_prop->protocol; - if (i>1) - { - /* should not happen, but who knows */ - break; - } - } - iterator->destroy(iterator); + return this->protocol; } /** * Implements proposal_t.set_spi. */ -static void set_spi(private_proposal_t *this, protocol_id_t proto, u_int64_t spi) +static void set_spi(private_proposal_t *this, u_int64_t spi) { - protocol_proposal_t *proto_proposal = get_protocol_proposal(this, proto, FALSE); - if (proto_proposal) - { - if (proto == PROTO_AH || proto == PROTO_ESP) - { - *((u_int32_t*)proto_proposal->spi.ptr) = (u_int32_t)spi; - } - else - { - *((u_int64_t*)proto_proposal->spi.ptr) = spi; - } - } + this->spi = spi; } /** * Implements proposal_t.get_spi. */ -static u_int64_t get_spi(private_proposal_t *this, protocol_id_t proto) +static u_int64_t get_spi(private_proposal_t *this) { - protocol_proposal_t *proto_proposal = get_protocol_proposal(this, proto, FALSE); - if (proto_proposal) - { - if (proto == PROTO_AH || proto == PROTO_ESP) - { - return (u_int64_t)*((u_int32_t*)proto_proposal->spi.ptr); - } - else - { - return *((u_int64_t*)proto_proposal->spi.ptr); - } - } - return 0; + return this->spi; } /** @@ -555,24 +387,15 @@ static void clone_algo_list(linked_list_t *list, linked_list_t *clone_list) */ static proposal_t *clone(private_proposal_t *this) { - private_proposal_t *clone = (private_proposal_t*)proposal_create(this->number); + private_proposal_t *clone = (private_proposal_t*)proposal_create(this->protocol); - iterator_t *iterator = this->protocol_proposals->create_iterator(this->protocol_proposals, TRUE); - while (iterator->has_next(iterator)) - { - protocol_proposal_t *proto_prop, *clone_proto_prop; - iterator->current(iterator, (void**)&proto_prop); - - clone_proto_prop = get_protocol_proposal(clone, proto_prop->protocol, TRUE); - memcpy(clone_proto_prop->spi.ptr, proto_prop->spi.ptr, clone_proto_prop->spi.len); - - clone_algo_list(proto_prop->encryption_algos, clone_proto_prop->encryption_algos); - clone_algo_list(proto_prop->integrity_algos, clone_proto_prop->integrity_algos); - clone_algo_list(proto_prop->prf_algos, clone_proto_prop->prf_algos); - clone_algo_list(proto_prop->dh_groups, clone_proto_prop->dh_groups); - clone_algo_list(proto_prop->esns, clone_proto_prop->esns); - } - iterator->destroy(iterator); + clone_algo_list(this->encryption_algos, clone->encryption_algos); + clone_algo_list(this->integrity_algos, clone->integrity_algos); + clone_algo_list(this->prf_algos, clone->prf_algos); + clone_algo_list(this->dh_groups, clone->dh_groups); + clone_algo_list(this->esns, clone->esns); + + clone->spi = this->spi; return &clone->public; } @@ -597,46 +420,39 @@ static void free_algo_list(linked_list_t *list) */ static void destroy(private_proposal_t *this) { - while(this->protocol_proposals->get_count(this->protocol_proposals) > 0) - { - protocol_proposal_t *proto_prop; - this->protocol_proposals->remove_last(this->protocol_proposals, (void**)&proto_prop); - - free_algo_list(proto_prop->encryption_algos); - free_algo_list(proto_prop->integrity_algos); - free_algo_list(proto_prop->prf_algos); - free_algo_list(proto_prop->dh_groups); - free_algo_list(proto_prop->esns); - - free(proto_prop->spi.ptr); - free(proto_prop); - } - this->protocol_proposals->destroy(this->protocol_proposals); - + free_algo_list(this->encryption_algos); + free_algo_list(this->integrity_algos); + free_algo_list(this->prf_algos); + free_algo_list(this->dh_groups); + free_algo_list(this->esns); free(this); } /* * Describtion in header-file */ -proposal_t *proposal_create(u_int8_t number) +proposal_t *proposal_create(protocol_id_t protocol) { private_proposal_t *this = malloc_thing(private_proposal_t); - this->public.add_algorithm = (void (*)(proposal_t*,protocol_id_t,transform_type_t,u_int16_t,size_t))add_algorithm; - this->public.create_algorithm_iterator = (iterator_t* (*)(proposal_t*,protocol_id_t,transform_type_t))create_algorithm_iterator; - this->public.get_algorithm = (bool (*)(proposal_t*,protocol_id_t,transform_type_t,algorithm_t**))get_algorithm; + this->public.add_algorithm = (void (*)(proposal_t*,transform_type_t,u_int16_t,size_t))add_algorithm; + this->public.create_algorithm_iterator = (iterator_t* (*)(proposal_t*,transform_type_t))create_algorithm_iterator; + this->public.get_algorithm = (bool (*)(proposal_t*,transform_type_t,algorithm_t**))get_algorithm; this->public.select = (proposal_t* (*)(proposal_t*,proposal_t*))select_proposal; - this->public.get_number = (u_int8_t (*)(proposal_t*))get_number; - this->public.get_protocols = (void(*)(proposal_t *this, protocol_id_t ids[2]))get_protocols; - this->public.set_spi = (void(*)(proposal_t*,protocol_id_t,u_int64_t spi))set_spi; - this->public.get_spi = (u_int64_t(*)(proposal_t*,protocol_id_t))get_spi; + this->public.get_protocol = (protocol_id_t(*)(proposal_t*))get_protocol; + this->public.set_spi = (void(*)(proposal_t*,u_int64_t))set_spi; + this->public.get_spi = (u_int64_t(*)(proposal_t*))get_spi; this->public.clone = (proposal_t*(*)(proposal_t*))clone; this->public.destroy = (void(*)(proposal_t*))destroy; - /* init private members*/ - this->number = number; - this->protocol_proposals = linked_list_create(); + this->spi = 0; + this->protocol = protocol; - return (&this->public); + this->encryption_algos = linked_list_create(); + this->integrity_algos = linked_list_create(); + this->prf_algos = linked_list_create(); + this->dh_groups = linked_list_create(); + this->esns = linked_list_create(); + + return &this->public; } diff --git a/src/charon/config/proposal.h b/src/charon/config/proposal.h index 48e3ad8d5..02819559b 100644 --- a/src/charon/config/proposal.h +++ b/src/charon/config/proposal.h @@ -123,13 +123,9 @@ typedef struct proposal_t proposal_t; * @brief Stores a set of algorithms used for an SA. * * A proposal stores algorithms for a specific - * protocol. It can store algorithms for more than - * one protocol (e.g. AH and ESP). Then the proposal - * means both protocols must be used. - * A proposal may contain more than one algorithm - * of the same kind. ONE of them can be selected. - * - * @warning This class is NOT thread-save! + * protocol. It can store algorithms for one protocol. + * Proposals with multiple protocols are not supported, + * as it's not specified in RFC4301 anymore. * * @b Constructors: * - proposal_create() @@ -150,25 +146,21 @@ struct proposal_t { * integrity_algorithm_t, dh_group_number_t and * extended_sequence_numbers_t. * - * @warning Do not add while other threads are reading. - * * @param this calling object - * @param proto desired protocol * @param type kind of algorithm * @param alg identifier for algorithm * @param key_size key size to use */ - void (*add_algorithm) (proposal_t *this, protocol_id_t proto, transform_type_t type, u_int16_t alg, size_t key_size); + void (*add_algorithm) (proposal_t *this, transform_type_t type, u_int16_t alg, size_t key_size); /** - * @brief Get an iterator over algorithms for a specifc protocol/algo type. + * @brief Get an iterator over algorithms for a specifc algo type. * * @param this calling object - * @param proto desired protocol * @param type kind of algorithm - * @return iterator over algorithms + * @return iterator over algorithm_t's */ - iterator_t *(*create_algorithm_iterator) (proposal_t *this, protocol_id_t proto, transform_type_t type); + iterator_t *(*create_algorithm_iterator) (proposal_t *this, transform_type_t type); /** * @brief Get the algorithm for a type to use. @@ -177,12 +169,11 @@ struct proposal_t { * Result is still owned by proposal, do not modify! * * @param this calling object - * @param proto desired protocol * @param type kind of algorithm * @param[out] algo pointer which receives algorithm and key size * @return TRUE if algorithm of this kind available */ - bool (*get_algorithm) (proposal_t *this, protocol_id_t proto, transform_type_t type, algorithm_t** algo); + bool (*get_algorithm) (proposal_t *this, transform_type_t type, algorithm_t** algo); /** * @brief Compare two proposal, and select a matching subset. @@ -200,41 +191,28 @@ struct proposal_t { proposal_t *(*select) (proposal_t *this, proposal_t *other); /** - * @brief Get the number set on construction. - * + * @brief Get the protocol ID of the proposal. + * * @param this calling object - * @return number + * @return protocol of the proposal */ - u_int8_t (*get_number) (proposal_t *this); + protocol_id_t (*get_protocol) (proposal_t *this); /** - * @brief Get the protocol ids in the proposals. - * - * With AH and ESP, there could be two protocols in one - * proposal. + * @brief Get the SPI of the proposal. * * @param this calling object - * @param ids array of protocol ids, - */ - void (*get_protocols) (proposal_t *this, protocol_id_t ids[2]); - - /** - * @brief Get the spi for a specific protocol. - * - * @param this calling object - * @param proto AH/ESP * @return spi for proto */ - u_int64_t (*get_spi) (proposal_t *this, protocol_id_t proto); + u_int64_t (*get_spi) (proposal_t *this); /** - * @brief Set the spi for a specific protocol. + * @brief Set the SPI of the proposal. * * @param this calling object - * @param proto AH/ESP * @param spi spi to set for proto */ - void (*set_spi) (proposal_t *this, protocol_id_t proto, u_int64_t spi); + void (*set_spi) (proposal_t *this, u_int64_t spi); /** * @brief Clone a proposal. @@ -253,17 +231,13 @@ struct proposal_t { }; /** - * @brief Create a child proposal for AH and/or ESP. + * @brief Create a child proposal for AH, ESP or IKE. * - * Since the order of multiple proposals is important for - * key derivation, we must assign them numbers as they - * appear in the raw payload. Numbering starts at 1. - * - * @param number number of the proposal, as in the payload + * @param protocol protocol, such as PROTO_ESP * @return proposal_t object * * @ingroup config */ -proposal_t *proposal_create(u_int8_t number); +proposal_t *proposal_create(protocol_id_t protocol); #endif /* PROPOSAL_H_ */ diff --git a/src/charon/encoding/message.c b/src/charon/encoding/message.c index 8a7998e66..db6d6ea5d 100644 --- a/src/charon/encoding/message.c +++ b/src/charon/encoding/message.c @@ -187,7 +187,7 @@ static payload_rule_t informational_r_payload_rules[] = { /** * Message rule for CREATE_CHILD_SA from initiator. */ -static payload_rule_t create_child_sa_r_payload_rules[] = { +static payload_rule_t create_child_sa_i_payload_rules[] = { {NOTIFY,0,MAX_NOTIFY_PAYLOADS,TRUE,FALSE}, {SECURITY_ASSOCIATION,1,1,TRUE,FALSE}, {NONCE,1,1,TRUE,FALSE}, @@ -200,7 +200,7 @@ static payload_rule_t create_child_sa_r_payload_rules[] = { /** * Message rule for CREATE_CHILD_SA from responder. */ -static payload_rule_t create_child_sa_i_payload_rules[] = { +static payload_rule_t create_child_sa_r_payload_rules[] = { {NOTIFY,0,MAX_NOTIFY_PAYLOADS,TRUE,FALSE}, {SECURITY_ASSOCIATION,1,1,TRUE,FALSE}, {NONCE,1,1,TRUE,FALSE}, @@ -220,7 +220,9 @@ static message_rule_t message_rules[] = { {IKE_AUTH,TRUE,TRUE,(sizeof(ike_auth_i_payload_rules)/sizeof(payload_rule_t)),ike_auth_i_payload_rules}, {IKE_AUTH,FALSE,TRUE,(sizeof(ike_auth_r_payload_rules)/sizeof(payload_rule_t)),ike_auth_r_payload_rules}, {INFORMATIONAL,TRUE,TRUE,(sizeof(informational_i_payload_rules)/sizeof(payload_rule_t)),informational_i_payload_rules}, - {INFORMATIONAL,FALSE,TRUE,(sizeof(informational_r_payload_rules)/sizeof(payload_rule_t)),informational_r_payload_rules} + {INFORMATIONAL,FALSE,TRUE,(sizeof(informational_r_payload_rules)/sizeof(payload_rule_t)),informational_r_payload_rules}, + {CREATE_CHILD_SA,TRUE,TRUE,(sizeof(create_child_sa_i_payload_rules)/sizeof(payload_rule_t)),create_child_sa_i_payload_rules}, + {CREATE_CHILD_SA,FALSE,TRUE,(sizeof(create_child_sa_r_payload_rules)/sizeof(payload_rule_t)),create_child_sa_r_payload_rules}, }; diff --git a/src/charon/encoding/payloads/notify_payload.c b/src/charon/encoding/payloads/notify_payload.c index a4062cf42..a09e33778 100644 --- a/src/charon/encoding/payloads/notify_payload.c +++ b/src/charon/encoding/payloads/notify_payload.c @@ -173,12 +173,25 @@ encoding_rule_t notify_payload_encodings[] = { */ static status_t verify(private_notify_payload_t *this) { - if (this->protocol_id > 3) + switch (this->protocol_id) { - /* reserved for future use */ - return FAILED; + case PROTO_IKE: + if (this->spi.len != 8) + { + return FAILED; + } + break; + case PROTO_AH: + case PROTO_ESP: + if (this->spi.len != 4) + { + return FAILED; + } + break; + default: + return FAILED; } - + /* TODO: Check all kinds of notify */ if (this->notify_message_type == INVALID_KE_PAYLOAD) @@ -265,9 +278,7 @@ static void compute_length (private_notify_payload_t *this) { length += this->spi.len; } - this->payload_length = length; - } /** @@ -289,7 +300,7 @@ static void set_protocol_id(private_notify_payload_t *this, u_int8_t protocol_id /** * Implementation of notify_payload_t.get_notify_message_type. */ -static u_int16_t get_notify_message_type(private_notify_payload_t *this) +static notify_message_type_t get_notify_message_type(private_notify_payload_t *this) { return this->notify_message_type; } @@ -305,32 +316,42 @@ static void set_notify_message_type(private_notify_payload_t *this, u_int16_t no /** * Implementation of notify_payload_t.get_spi. */ -static chunk_t get_spi(private_notify_payload_t *this) +static u_int64_t get_spi(private_notify_payload_t *this) { - return (this->spi); + switch (this->protocol_id) + { + case PROTO_IKE: + return *((u_int64_t*)this->spi.ptr); + case PROTO_AH: + case PROTO_ESP: + return *((u_int32_t*)this->spi.ptr); + default: + return 0; + } } /** * Implementation of notify_payload_t.set_spi. */ -static void set_spi(private_notify_payload_t *this, chunk_t spi) +static void set_spi(private_notify_payload_t *this, u_int64_t spi) { - /* destroy existing data first */ - if (this->spi.ptr != NULL) + chunk_free(&this->spi); + switch (this->protocol_id) { - /* free existing value */ - free(this->spi.ptr); - this->spi.ptr = NULL; - this->spi.len = 0; - + case PROTO_IKE: + this->spi = chunk_alloc(8); + *((u_int64_t*)this->spi.ptr) = spi; + break; + case PROTO_AH: + case PROTO_ESP: + this->spi = chunk_alloc(4); + *((u_int32_t*)this->spi.ptr) = spi; + break; + default: + break; } - - this->spi.ptr = clalloc(spi.ptr,spi.len); - - this->spi.len = spi.len; - this->spi_size = spi.len; + this->spi_size = this->spi.len; this->compute_length(this); - } /** @@ -376,7 +397,6 @@ static status_t destroy(private_notify_payload_t *this) { free(this->spi.ptr); } - free(this); return SUCCESS; } @@ -400,10 +420,10 @@ notify_payload_t *notify_payload_create() /* public functions */ this->public.get_protocol_id = (u_int8_t (*) (notify_payload_t *)) get_protocol_id; this->public.set_protocol_id = (void (*) (notify_payload_t *,u_int8_t)) set_protocol_id; - this->public.get_notify_message_type = (u_int16_t (*) (notify_payload_t *)) get_notify_message_type; - this->public.set_notify_message_type = (void (*) (notify_payload_t *,u_int16_t)) set_notify_message_type; - this->public.get_spi = (chunk_t (*) (notify_payload_t *)) get_spi; - this->public.set_spi = (void (*) (notify_payload_t *,chunk_t)) set_spi; + this->public.get_notify_message_type = (notify_message_type_t (*) (notify_payload_t *)) get_notify_message_type; + this->public.set_notify_message_type = (void (*) (notify_payload_t *,notify_message_type_t)) set_notify_message_type; + this->public.get_spi = (u_int64_t (*) (notify_payload_t *)) get_spi; + this->public.set_spi = (void (*) (notify_payload_t *,u_int64_t)) set_spi; this->public.get_notification_data = (chunk_t (*) (notify_payload_t *)) get_notification_data; this->public.set_notification_data = (void (*) (notify_payload_t *,chunk_t)) set_notification_data; this->public.destroy = (void (*) (notify_payload_t *)) destroy; diff --git a/src/charon/encoding/payloads/notify_payload.h b/src/charon/encoding/payloads/notify_payload.h index ab86a6d53..ef425f314 100644 --- a/src/charon/encoding/payloads/notify_payload.h +++ b/src/charon/encoding/payloads/notify_payload.h @@ -64,7 +64,8 @@ enum notify_message_type_t { INVALID_SELECTORS = 39, INITIAL_CONTACT = 16384, - SET_WINDOW_SIZE = 16385 + SET_WINDOW_SIZE = 16385, + REKEY_SA = 16393, }; /** @@ -107,46 +108,42 @@ struct notify_payload_t { /** * @brief Sets the protocol id of this payload. * - * @param this calling notify_payload_t object - * @param protocol_id protocol id to set + * @param this calling notify_payload_t object + * @param protocol_id protocol id to set */ void (*set_protocol_id) (notify_payload_t *this, u_int8_t protocol_id); /** * @brief Gets the notify message type of this payload. * - * @param this calling notify_payload_t object - * @return notify message type of this payload + * @param this calling notify_payload_t object + * @return notify message type of this payload */ - u_int16_t (*get_notify_message_type) (notify_payload_t *this); + notify_message_type_t (*get_notify_message_type) (notify_payload_t *this); /** * @brief Sets notify message type of this payload. * - * @param this calling notify_payload_t object - * @param notify_message_type notify message type to set + * @param this calling notify_payload_t object + * @param type notify message type to set */ - void (*set_notify_message_type) (notify_payload_t *this, u_int16_t notify_message_type); + void (*set_notify_message_type) (notify_payload_t *this, notify_message_type_t type); /** * @brief Returns the currently set spi of this payload. - * - * @warning Returned data are not copied. - * + * * @param this calling notify_payload_t object - * @return chunk_t pointing to the value + * @return SPI value */ - chunk_t (*get_spi) (notify_payload_t *this); + u_int64_t (*get_spi) (notify_payload_t *this); /** * @brief Sets the spi of this payload. - * - * @warning Value is getting copied. * - * @param this calling notify_payload_t object - * @param spi chunk_t pointing to the value to set + * @param this calling notify_payload_t object + * @param spi SPI value */ - void (*set_spi) (notify_payload_t *this, chunk_t spi); + void (*set_spi) (notify_payload_t *this, u_int64_t spi); /** * @brief Returns the currently set notification data of payload. @@ -163,7 +160,7 @@ struct notify_payload_t { * * @warning Value is getting copied. * - * @param this calling notify_payload_t object + * @param this calling notify_payload_t object * @param notification_data chunk_t pointing to the value to set */ void (*set_notification_data) (notify_payload_t *this, chunk_t notification_data); diff --git a/src/charon/encoding/payloads/proposal_substructure.c b/src/charon/encoding/payloads/proposal_substructure.c index cb3c695b2..f72fbb1c2 100644 --- a/src/charon/encoding/payloads/proposal_substructure.c +++ b/src/charon/encoding/payloads/proposal_substructure.c @@ -61,7 +61,7 @@ struct private_proposal_substructure_t { /** * Proposal number. */ - u_int8_t proposal_number; + u_int8_t proposal_number; /** * Protocol ID. @@ -404,14 +404,17 @@ static size_t get_spi_size (private_proposal_substructure_t *this) } /** - * Implementation of proposal_substructure_t.add_to_proposal. + * Implementation of proposal_substructure_t.get_proposal. */ -void add_to_proposal(private_proposal_substructure_t *this, proposal_t *proposal) +proposal_t* get_proposal(private_proposal_substructure_t *this) { - iterator_t *iterator = this->transforms->create_iterator(this->transforms, TRUE); - u_int32_t spi; + iterator_t *iterator; + proposal_t *proposal; + u_int64_t spi; + proposal = proposal_create(this->protocol_id); + iterator = this->transforms->create_iterator(this->transforms, TRUE); while (iterator->has_next(iterator)) { transform_substructure_t *transform; @@ -425,13 +428,24 @@ void add_to_proposal(private_proposal_substructure_t *this, proposal_t *proposal transform_id = transform->get_transform_id(transform); transform->get_key_length(transform, &key_length); - proposal->add_algorithm(proposal, this->protocol_id, transform_type, transform_id, key_length); + proposal->add_algorithm(proposal, transform_type, transform_id, key_length); } iterator->destroy(iterator); - spi = *((u_int32_t*)this->spi.ptr); + switch (this->spi.len) + { + case 4: + spi = *((u_int32_t*)this->spi.ptr); + break; + case 8: + spi = *((u_int64_t*)this->spi.ptr); + break; + default: + spi = 0; + } + proposal->set_spi(proposal, spi); - proposal->set_spi(proposal, this->protocol_id, spi); + return proposal; } /** @@ -527,7 +541,7 @@ proposal_substructure_t *proposal_substructure_create() this->public.get_protocol_id = (u_int8_t (*) (proposal_substructure_t *)) get_protocol_id; this->public.get_info_for_transform_type = (status_t (*) (proposal_substructure_t *,transform_type_t,u_int16_t *, u_int16_t *))get_info_for_transform_type; this->public.set_is_last_proposal = (void (*) (proposal_substructure_t *,bool)) set_is_last_proposal; - this->public.add_to_proposal = (void (*) (proposal_substructure_t*,proposal_t*))add_to_proposal; + this->public.get_proposal = (proposal_t* (*) (proposal_substructure_t*))get_proposal; this->public.set_spi = (void (*) (proposal_substructure_t *,chunk_t))set_spi; this->public.get_spi = (chunk_t (*) (proposal_substructure_t *)) get_spi; this->public.get_transform_count = (size_t (*) (proposal_substructure_t *)) get_transform_count; @@ -556,7 +570,7 @@ proposal_substructure_t *proposal_substructure_create() /* * Described in header. */ -proposal_substructure_t *proposal_substructure_create_from_proposal(proposal_t *proposal, protocol_id_t proto) +proposal_substructure_t *proposal_substructure_create_from_proposal(proposal_t *proposal) { private_proposal_substructure_t *this = (private_proposal_substructure_t*)proposal_substructure_create(); iterator_t *iterator; @@ -564,7 +578,7 @@ proposal_substructure_t *proposal_substructure_create_from_proposal(proposal_t * transform_substructure_t *transform; /* encryption algorithm is only availble in ESP */ - iterator = proposal->create_algorithm_iterator(proposal, proto, ENCRYPTION_ALGORITHM); + iterator = proposal->create_algorithm_iterator(proposal, ENCRYPTION_ALGORITHM); while (iterator->has_next(iterator)) { iterator->current(iterator, (void**)&algo); @@ -574,7 +588,7 @@ proposal_substructure_t *proposal_substructure_create_from_proposal(proposal_t * iterator->destroy(iterator); /* integrity algorithms */ - iterator = proposal->create_algorithm_iterator(proposal, proto, INTEGRITY_ALGORITHM); + iterator = proposal->create_algorithm_iterator(proposal, INTEGRITY_ALGORITHM); while (iterator->has_next(iterator)) { algorithm_t *algo; @@ -585,7 +599,7 @@ proposal_substructure_t *proposal_substructure_create_from_proposal(proposal_t * iterator->destroy(iterator); /* prf algorithms */ - iterator = proposal->create_algorithm_iterator(proposal, proto, PSEUDO_RANDOM_FUNCTION); + iterator = proposal->create_algorithm_iterator(proposal, PSEUDO_RANDOM_FUNCTION); while (iterator->has_next(iterator)) { algorithm_t *algo; @@ -596,7 +610,7 @@ proposal_substructure_t *proposal_substructure_create_from_proposal(proposal_t * iterator->destroy(iterator); /* dh groups */ - iterator = proposal->create_algorithm_iterator(proposal, proto, DIFFIE_HELLMAN_GROUP); + iterator = proposal->create_algorithm_iterator(proposal, DIFFIE_HELLMAN_GROUP); while (iterator->has_next(iterator)) { algorithm_t *algo; @@ -607,7 +621,7 @@ proposal_substructure_t *proposal_substructure_create_from_proposal(proposal_t * iterator->destroy(iterator); /* extended sequence numbers */ - iterator = proposal->create_algorithm_iterator(proposal, proto, EXTENDED_SEQUENCE_NUMBERS); + iterator = proposal->create_algorithm_iterator(proposal, EXTENDED_SEQUENCE_NUMBERS); while (iterator->has_next(iterator)) { algorithm_t *algo; @@ -618,12 +632,19 @@ proposal_substructure_t *proposal_substructure_create_from_proposal(proposal_t * iterator->destroy(iterator); /* take over general infos */ - this->spi_size = proto == PROTO_IKE ? 8 : 4; + this->spi_size = proposal->get_protocol(proposal) == PROTO_IKE ? 8 : 4; this->spi.len = this->spi_size; this->spi.ptr = malloc(this->spi_size); - *((u_int32_t*)this->spi.ptr) = proposal->get_spi(proposal, proto); - this->proposal_number = proposal->get_number(proposal); - this->protocol_id = proto; + if (this->spi_size == 8) + { + *((u_int64_t*)this->spi.ptr) = proposal->get_spi(proposal); + } + else + { + *((u_int32_t*)this->spi.ptr) = proposal->get_spi(proposal); + } + this->proposal_number = 0; + this->protocol_id = proposal->get_protocol(proposal); return &(this->public); } diff --git a/src/charon/encoding/payloads/proposal_substructure.h b/src/charon/encoding/payloads/proposal_substructure.h index a59f9532f..5b935f0cd 100644 --- a/src/charon/encoding/payloads/proposal_substructure.h +++ b/src/charon/encoding/payloads/proposal_substructure.h @@ -174,16 +174,12 @@ struct proposal_substructure_t { void (*set_spi) (proposal_substructure_t *this, chunk_t spi); /** - * @brief Add this proposal_substructure to a proposal. - * - * Since a proposal_t may contain the data of multiple - * proposal_sbustructure_t's, it may be necessary to call - * the function multiple times with the same proposal. + * @brief Get a proposal_t from the propsal_substructure_t. * * @param this calling proposal_substructure_t object - * @param proposal proposal where the data should be added + * @return proposal_t */ - void (*add_to_proposal) (proposal_substructure_t *this, proposal_t *proposal); + proposal_t * (*get_proposal) (proposal_substructure_t *this); /** * @brief Clones an proposal_substructure_t object. @@ -211,21 +207,14 @@ struct proposal_substructure_t { proposal_substructure_t *proposal_substructure_create(void); /** - * @brief Creates a proposal substructure from a proposal. - * - * Since a child proposal may contain data for both AH and ESP, - * the protocol must be specified. If the proposal does not contain - * data for proto, NULL is returned. Call twice, once with AH, once - * with ESP, with the same proposal to build the two substructures - * for it. - * + * @brief Creates a proposal_substructure_t from a proposal_t. + * * @param proposal proposal to build a substruct out of it - * @param proto for which protocol the substructure should be built - * @return proposal_substructure_t object, or NULL + * @return proposal_substructure_t object * * @ingroup payloads */ -proposal_substructure_t *proposal_substructure_create_from_proposal(proposal_t *proposal, protocol_id_t proto); +proposal_substructure_t *proposal_substructure_create_from_proposal(proposal_t *proposal); #endif /*PROPOSAL_SUBSTRUCTURE_H_*/ diff --git a/src/charon/encoding/payloads/sa_payload.c b/src/charon/encoding/payloads/sa_payload.c index 345264b4d..a54e406a3 100644 --- a/src/charon/encoding/payloads/sa_payload.c +++ b/src/charon/encoding/payloads/sa_payload.c @@ -232,18 +232,20 @@ static iterator_t *create_proposal_substructure_iterator (private_sa_payload_t * /** * Implementation of sa_payload_t.add_proposal_substructure. */ -static void add_proposal_substructure (private_sa_payload_t *this,proposal_substructure_t *proposal) +static void add_proposal_substructure(private_sa_payload_t *this,proposal_substructure_t *proposal) { status_t status; - if (this->proposals->get_count(this->proposals) > 0) + u_int proposal_count = this->proposals->get_count(this->proposals); + + if (proposal_count > 0) { proposal_substructure_t *last_proposal; status = this->proposals->get_last(this->proposals,(void **) &last_proposal); /* last transform is now not anymore last one */ - last_proposal->set_is_last_proposal(last_proposal,FALSE); + last_proposal->set_is_last_proposal(last_proposal, FALSE); } - proposal->set_is_last_proposal(proposal,TRUE); - + proposal->set_is_last_proposal(proposal, TRUE); + proposal->set_proposal_number(proposal, proposal_count + 1); this->proposals->insert_last(this->proposals,(void *) proposal); this->compute_length(this); } @@ -254,19 +256,9 @@ static void add_proposal_substructure (private_sa_payload_t *this,proposal_subst static void add_proposal(private_sa_payload_t *this, proposal_t *proposal) { proposal_substructure_t *substructure; - protocol_id_t proto[2]; - u_int i; - /* build the substructures for every protocol */ - proposal->get_protocols(proposal, proto); - for (i = 0; i<2; i++) - { - if (proto[i] != PROTO_NONE) - { - substructure = proposal_substructure_create_from_proposal(proposal, proto[i]); - add_proposal_substructure(this, substructure); - } - } + substructure = proposal_substructure_create_from_proposal(proposal); + add_proposal_substructure(this, substructure); } /** @@ -274,30 +266,44 @@ static void add_proposal(private_sa_payload_t *this, proposal_t *proposal) */ static linked_list_t *get_proposals(private_sa_payload_t *this) { - int proposal_struct_number = 0; + int struct_number = 0; + int ignore_struct_number = 0; iterator_t *iterator; - proposal_t *proposal; linked_list_t *proposal_list; /* this list will hold our proposals */ proposal_list = linked_list_create(); - /* iterate over structures, one OR MORE structures will result in a proposal */ - iterator = this->proposals->create_iterator(this->proposals,TRUE); + /* we do not support proposals split up to two proposal substructures, as + * AH+ESP bundles are not supported in RFC4301 anymore. + * To handle such structures safely, we just skip proposals with multiple + * protocols. + */ + iterator = this->proposals->create_iterator(this->proposals, TRUE); while (iterator->has_next(iterator)) { + proposal_t *proposal; proposal_substructure_t *proposal_struct; - iterator->current(iterator,(void **)&(proposal_struct)); - if (proposal_struct->get_proposal_number(proposal_struct) > proposal_struct_number) + iterator->current(iterator, (void **)&proposal_struct); + /* check if a proposal has a single protocol */ + if (proposal_struct->get_proposal_number(proposal_struct) == struct_number) + { + if (ignore_struct_number < struct_number) + { + /* remova an already added, if first of series */ + proposal_list->remove_last(proposal_list, (void**)proposal); + proposal->destroy(proposal); + ignore_struct_number = struct_number; + } + continue; + } + struct_number++; + proposal = proposal_struct->get_proposal(proposal_struct); + if (proposal) { - /* here starts a new proposal, create a new one and add it to the list */ - proposal_struct_number = proposal_struct->get_proposal_number(proposal_struct); - proposal = proposal_create(proposal_struct_number); proposal_list->insert_last(proposal_list, proposal); } - /* proposal_substructure_t does the dirty work and builds up the proposal */ - proposal_struct->add_to_proposal(proposal_struct, proposal); } iterator->destroy(iterator); return proposal_list; @@ -354,7 +360,7 @@ sa_payload_t *sa_payload_create() this->payload_length = SA_PAYLOAD_HEADER_LENGTH; this->proposals = linked_list_create(); - return (&(this->public)); + return &this->public; } /* diff --git a/src/charon/queues/jobs/rekey_child_sa_job.c b/src/charon/queues/jobs/rekey_child_sa_job.c index 69b1342a5..17f88b12f 100644 --- a/src/charon/queues/jobs/rekey_child_sa_job.c +++ b/src/charon/queues/jobs/rekey_child_sa_job.c @@ -71,9 +71,9 @@ static status_t execute(private_rekey_child_sa_job_t *this) return DESTROY_ME; } - /* TODO */ + ike_sa->rekey_child_sa(ike_sa, this->reqid); - status = charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa); + charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa); return DESTROY_ME; } diff --git a/src/charon/queues/jobs/rekey_child_sa_job.h b/src/charon/queues/jobs/rekey_child_sa_job.h index 2492b2b46..54f701137 100644 --- a/src/charon/queues/jobs/rekey_child_sa_job.h +++ b/src/charon/queues/jobs/rekey_child_sa_job.h @@ -51,9 +51,12 @@ struct rekey_child_sa_job_t { * @brief Creates a job of type REKEY_CHILD_SA. * * To find the targeted CHILD_SA, the uniqe reqid used in - * the kernel is used. + * the kernel is used. As a CHILD_SA may contain multiple SAs + * (AH and/or ESP), we must provide an additional spi to + * know which IPsec SA to rekey. * * @param reqid reqid CHILD_SA to rekey + * @param spi security parameter index of the SA to rekey * @return rekey_child_sa_job_t object * * @ingroup jobs diff --git a/src/charon/sa/child_sa.c b/src/charon/sa/child_sa.c index b79d07028..2321e4696 100644 --- a/src/charon/sa/child_sa.c +++ b/src/charon/sa/child_sa.c @@ -36,25 +36,12 @@ typedef struct sa_policy_t sa_policy_t; */ struct sa_policy_t { - /** - * Network on local side - */ - host_t *my_net; - - /** - * Network on remote side - */ - host_t *other_net; - - /** - * Number of bits for local network (subnet size) - */ - u_int8_t my_net_mask; - - /** - * Number of bits for remote network (subnet size) - */ - u_int8_t other_net_mask; + struct { + /** subnet address behind peer peer */ + host_t *net; + /** netmask used for net */ + u_int8_t net_mask; + } me, other; /** * Protocol for this policy, such as TCP/UDP/ICMP... @@ -73,38 +60,20 @@ struct private_child_sa_t { */ child_sa_t public; - /** - * IP of this peer - */ - host_t *me; + struct { + /** address of peer */ + host_t *addr; + /** actual used SPI, 0 if unused */ + u_int32_t spi; + } me, other; /** - * IP of other peer + * Protocol used to protect this SA, ESP|AH */ - host_t *other; + protocol_id_t protocol; /** - * Local security parameter index for AH protocol, 0 if not used - */ - u_int32_t my_ah_spi; - - /** - * Local security parameter index for ESP protocol, 0 if not used - */ - u_int32_t my_esp_spi; - - /** - * Remote security parameter index for AH protocol, 0 if not used - */ - u_int32_t other_ah_spi; - - /** - * Remote security parameter index for ESP protocol, 0 if not used - */ - u_int32_t other_esp_spi; - - /** - * List containing policy_id_t objects + * List containing sa_policy_t objects */ linked_list_t *policies; @@ -113,6 +82,16 @@ struct private_child_sa_t { */ u_int32_t reqid; + /** + * Lifetime before rekeying + */ + u_int32_t soft_lifetime; + + /** + * Lifetime before delete + */ + u_int32_t hard_lifetime; + /** * CHILD_SAs own logger */ @@ -126,13 +105,33 @@ static u_int32_t get_reqid(private_child_sa_t *this) { return this->reqid; } + +/** + * Implements child_sa_t.get_spi + */ +u_int32_t get_spi(private_child_sa_t *this, bool inbound) +{ + if (inbound) + { + return this->me.spi; + } + return this->other.spi; +} + +/** + * Implements child_sa_t.get_protocol + */ +protocol_id_t get_protocol(private_child_sa_t *this) +{ + return this->protocol; +} /** * Implements child_sa_t.alloc */ static status_t alloc(private_child_sa_t *this, linked_list_t *proposals) { - protocol_id_t protocols[2]; + protocol_id_t protocol; iterator_t *iterator; proposal_t *proposal; status_t status; @@ -143,50 +142,21 @@ static status_t alloc(private_child_sa_t *this, linked_list_t *proposals) while(iterator->has_next(iterator)) { iterator->current(iterator, (void**)&proposal); - proposal->get_protocols(proposal, protocols); - - /* check all protocols */ - for (i = 0; i<2; i++) + protocol = proposal->get_protocol(proposal); + + status = charon->kernel_interface->get_spi( + charon->kernel_interface, + this->me.addr, this->other.addr, + protocol, FALSE, + &(this->me.spi)); + + if (status != SUCCESS) { - switch (protocols[i]) - { - case PROTO_AH: - /* do we already have an spi for AH?*/ - if (this->my_ah_spi == 0) - { - /* nope, get one */ - status = charon->kernel_interface->get_spi( - charon->kernel_interface, - this->me, this->other, - PROTO_AH, FALSE, - &(this->my_ah_spi)); - } - /* update proposal */ - proposal->set_spi(proposal, PROTO_AH, (u_int64_t)this->my_ah_spi); - break; - case PROTO_ESP: - /* do we already have an spi for ESP?*/ - if (this->my_esp_spi == 0) - { - /* nope, get one */ - status = charon->kernel_interface->get_spi( - charon->kernel_interface, - this->me, this->other, - PROTO_ESP, FALSE, - &(this->my_esp_spi)); - } - /* update proposal */ - proposal->set_spi(proposal, PROTO_ESP, (u_int64_t)this->my_esp_spi); - break; - default: - break; - } - if (status != SUCCESS) - { - iterator->destroy(iterator); - return FAILED; - } + iterator->destroy(iterator); + return FAILED; } + /* update proposal */ + proposal->set_spi(proposal, (u_int64_t)this->me.spi); } iterator->destroy(iterator); return SUCCESS; @@ -194,7 +164,6 @@ static status_t alloc(private_child_sa_t *this, linked_list_t *proposals) static status_t install(private_child_sa_t *this, proposal_t *proposal, prf_plus_t *prf_plus, bool mine) { - protocol_id_t protocols[2]; u_int32_t spi; encryption_algorithm_t enc_algo; integrity_algorithm_t int_algo; @@ -206,128 +175,103 @@ static status_t install(private_child_sa_t *this, proposal_t *proposal, prf_plus host_t *src; host_t *dst; status_t status; - u_int i; /* we must assign the roles to correctly set up the SAs */ if (mine) { - src = this->me; - dst = this->other; + src = this->me.addr; + dst = this->other.addr; } else { - dst = this->me; - src = this->other; + dst = this->me.addr; + src = this->other.addr; } - proposal->get_protocols(proposal, protocols); - /* derive keys in order as protocols appear */ - for (i = 0; i<2; i++) + this->protocol = proposal->get_protocol(proposal); + + /* now we have to decide which spi to use. Use self allocated, if "mine", + * or the one in the proposal, if not "mine" (others). */ + if (mine) { - if (protocols[i] != PROTO_NONE) - { - - /* now we have to decide which spi to use. Use self allocated, if "mine", - * or the one in the proposal, if not "mine" (others). */ - if (mine) - { - if (protocols[i] == PROTO_AH) - { - spi = this->my_ah_spi; - } - else - { - spi = this->my_esp_spi; - } - } - else /* use proposals spi */ - { - spi = proposal->get_spi(proposal, protocols[i]); - if (protocols[i] == PROTO_AH) - { - this->other_ah_spi = spi; - } - else - { - this->other_esp_spi = spi; - } - } - - /* derive encryption key first */ - if (proposal->get_algorithm(proposal, protocols[i], ENCRYPTION_ALGORITHM, &algo)) - { - enc_algo = algo->algorithm; - this->logger->log(this->logger, CONTROL|LEVEL1, "%s for %s: using %s %s, ", - mapping_find(protocol_id_m, protocols[i]), - mine ? "me" : "other", - mapping_find(transform_type_m, ENCRYPTION_ALGORITHM), - mapping_find(encryption_algorithm_m, enc_algo)); - - /* we must create a (unused) crypter, since its the only way to get the size - * of the key. This is not so nice, since charon must support all algorithms - * the kernel supports... - * TODO: build something of a encryption algorithm lookup function - */ - crypter = crypter_create(enc_algo, algo->key_size); - key_size = crypter->get_key_size(crypter); - crypter->destroy(crypter); - prf_plus->allocate_bytes(prf_plus, key_size, &enc_key); - this->logger->log_chunk(this->logger, PRIVATE, "key:", enc_key); - } - else - { - enc_algo = ENCR_UNDEFINED; - } - - /* derive integrity key */ - if (proposal->get_algorithm(proposal, protocols[i], INTEGRITY_ALGORITHM, &algo)) - { - int_algo = algo->algorithm; - this->logger->log(this->logger, CONTROL|LEVEL1, "%s for %s: using %s %s,", - mapping_find(protocol_id_m, protocols[i]), - mine ? "me" : "other", - mapping_find(transform_type_m, INTEGRITY_ALGORITHM), - mapping_find(integrity_algorithm_m, algo->algorithm)); - - signer = signer_create(int_algo); - key_size = signer->get_key_size(signer); - signer->destroy(signer); - prf_plus->allocate_bytes(prf_plus, key_size, &int_key); - this->logger->log_chunk(this->logger, PRIVATE, "key:", int_key); - } - else - { - int_algo = AUTH_UNDEFINED; - } - /* send keys down to kernel */ - this->logger->log(this->logger, CONTROL|LEVEL1, - "installing 0x%.8x for %s, src %s dst %s", - ntohl(spi), mapping_find(protocol_id_m, protocols[i]), - src->get_address(src), dst->get_address(dst)); - status = charon->kernel_interface->add_sa(charon->kernel_interface, - src, dst, - spi, protocols[i], - this->reqid, - 5, 30, - enc_algo, enc_key, - int_algo, int_key, mine); - /* clean up for next round */ - if (enc_algo != ENCR_UNDEFINED) - { - chunk_free(&enc_key); - } - if (int_algo != AUTH_UNDEFINED) - { - chunk_free(&int_key); - } - - if (status != SUCCESS) - { - return FAILED; - } - } + spi = this->me.spi; } - return SUCCESS; + else + { + spi = proposal->get_spi(proposal); + this->other.spi = spi; + } + + /* derive encryption key first */ + if (proposal->get_algorithm(proposal, ENCRYPTION_ALGORITHM, &algo)) + { + enc_algo = algo->algorithm; + this->logger->log(this->logger, CONTROL|LEVEL1, "%s for %s: using %s %s, ", + mapping_find(protocol_id_m, this->protocol), + mine ? "me" : "other", + mapping_find(transform_type_m, ENCRYPTION_ALGORITHM), + mapping_find(encryption_algorithm_m, enc_algo)); + + /* we must create a (unused) crypter, since its the only way to get the size + * of the key. This is not so nice, since charon must support all algorithms + * the kernel supports... + * TODO: build something of a encryption algorithm lookup function + */ + crypter = crypter_create(enc_algo, algo->key_size); + key_size = crypter->get_key_size(crypter); + crypter->destroy(crypter); + prf_plus->allocate_bytes(prf_plus, key_size, &enc_key); + this->logger->log_chunk(this->logger, PRIVATE, "key:", enc_key); + } + else + { + enc_algo = ENCR_UNDEFINED; + } + + /* derive integrity key */ + if (proposal->get_algorithm(proposal, INTEGRITY_ALGORITHM, &algo)) + { + int_algo = algo->algorithm; + this->logger->log(this->logger, CONTROL|LEVEL1, "%s for %s: using %s %s,", + mapping_find(protocol_id_m, this->protocol), + mine ? "me" : "other", + mapping_find(transform_type_m, INTEGRITY_ALGORITHM), + mapping_find(integrity_algorithm_m, algo->algorithm)); + + signer = signer_create(int_algo); + key_size = signer->get_key_size(signer); + signer->destroy(signer); + prf_plus->allocate_bytes(prf_plus, key_size, &int_key); + this->logger->log_chunk(this->logger, PRIVATE, "key:", int_key); + } + else + { + int_algo = AUTH_UNDEFINED; + } + + /* send keys down to kernel */ + this->logger->log(this->logger, CONTROL|LEVEL1, + "installing 0x%.8x for %s, src %s dst %s", + ntohl(spi), mapping_find(protocol_id_m, this->protocol), + src->get_address(src), dst->get_address(dst)); + status = charon->kernel_interface->add_sa(charon->kernel_interface, + src, dst, + spi, this->protocol, + this->reqid, + mine ? 0 : this->soft_lifetime, + this->hard_lifetime, + enc_algo, enc_key, + int_algo, int_key, mine); + /* clean up */ + if (enc_algo != ENCR_UNDEFINED) + { + chunk_free(&enc_key); + } + if (int_algo != AUTH_UNDEFINED) + { + chunk_free(&int_key); + } + return status; } static status_t add(private_child_sa_t *this, proposal_t *proposal, prf_plus_t *prf_plus) @@ -412,8 +356,8 @@ static status_t add_policies(private_child_sa_t *this, linked_list_t *my_ts_list from_port = my_ts->get_from_port(my_ts); to_port = my_ts->get_to_port(my_ts); from_port = (from_port != to_port) ? 0 : from_port; - policy->my_net = host_create_from_chunk(family, from_addr, from_port); - policy->my_net_mask = my_ts->get_netmask(my_ts); + policy->me.net = host_create_from_chunk(family, from_addr, from_port); + policy->me.net_mask = my_ts->get_netmask(my_ts); chunk_free(&from_addr); /* calculate net and ports for remote side */ @@ -422,41 +366,44 @@ static status_t add_policies(private_child_sa_t *this, linked_list_t *my_ts_list from_port = other_ts->get_from_port(other_ts); to_port = other_ts->get_to_port(other_ts); from_port = (from_port != to_port) ? 0 : from_port; - policy->other_net = host_create_from_chunk(family, from_addr, from_port); - policy->other_net_mask = other_ts->get_netmask(other_ts); + policy->other.net = host_create_from_chunk(family, from_addr, from_port); + policy->other.net_mask = other_ts->get_netmask(other_ts); chunk_free(&from_addr); /* install 3 policies: out, in and forward */ status = charon->kernel_interface->add_policy(charon->kernel_interface, - this->me, this->other, - policy->my_net, policy->other_net, - policy->my_net_mask, policy->other_net_mask, + this->me.addr, this->other.addr, + policy->me.net, policy->other.net, + policy->me.net_mask, policy->other.net_mask, XFRM_POLICY_OUT, policy->upper_proto, - this->my_ah_spi, this->my_esp_spi, + this->protocol == PROTO_AH, + this->protocol == PROTO_ESP, this->reqid); status |= charon->kernel_interface->add_policy(charon->kernel_interface, - this->other, this->me, - policy->other_net, policy->my_net, - policy->other_net_mask, policy->my_net_mask, + this->other.addr, this->me.addr, + policy->other.net, policy->me.net, + policy->other.net_mask, policy->me.net_mask, XFRM_POLICY_IN, policy->upper_proto, - this->my_ah_spi, this->my_esp_spi, + this->protocol == PROTO_AH, + this->protocol == PROTO_ESP, this->reqid); status |= charon->kernel_interface->add_policy(charon->kernel_interface, - this->other, this->me, - policy->other_net, policy->my_net, - policy->other_net_mask, policy->my_net_mask, + this->other.addr, this->me.addr, + policy->other.net, policy->me.net, + policy->other.net_mask, policy->me.net_mask, XFRM_POLICY_FWD, policy->upper_proto, - this->my_ah_spi, this->my_esp_spi, + this->protocol == PROTO_AH, + this->protocol == PROTO_ESP, this->reqid); if (status != SUCCESS) { my_iter->destroy(my_iter); other_iter->destroy(other_iter); - policy->my_net->destroy(policy->my_net); - policy->other_net->destroy(policy->other_net); + policy->me.net->destroy(policy->me.net); + policy->other.net->destroy(policy->other.net); free(policy); return status; } @@ -465,7 +412,6 @@ static status_t add_policies(private_child_sa_t *this, linked_list_t *my_ts_list this->policies->insert_last(this->policies, policy); } } - my_iter->destroy(my_iter); other_iter->destroy(other_iter); return SUCCESS; @@ -486,10 +432,11 @@ static void log_status(private_child_sa_t *this, logger_t *logger, char* name) { logger = this->logger; } - logger->log(logger, CONTROL|LEVEL1, " \"%s\": protected with ESP (0x%x/0x%x), AH (0x%x,0x%x):", + logger->log(logger, CONTROL|LEVEL1, " \"%s\": protected with %s (0x%x/0x%x), reqid %d:", name, - htonl(this->my_esp_spi), htonl(this->other_esp_spi), - htonl(this->my_ah_spi), htonl(this->other_ah_spi)); + this->protocol == PROTO_ESP ? "ESP" : "AH", + htonl(this->me.spi), htonl(this->other.spi), + this->reqid); iterator = this->policies->create_iterator(this->policies, TRUE); while (iterator->has_next(iterator)) { @@ -508,9 +455,9 @@ static void log_status(private_child_sa_t *this, logger_t *logger, char* name) } logger->log(logger, CONTROL, " \"%s\": %s/%d==%s==%s/%d", name, - policy->my_net->get_address(policy->my_net), policy->my_net_mask, + policy->me.net->get_address(policy->me.net), policy->me.net_mask, proto_name, - policy->other_net->get_address(policy->other_net), policy->other_net_mask); + policy->other.net->get_address(policy->other.net), policy->other.net_mask); } iterator->destroy(iterator); } @@ -525,43 +472,36 @@ static void destroy(private_child_sa_t *this) while (this->policies->remove_last(this->policies, (void**)&policy) == SUCCESS) { charon->kernel_interface->del_policy(charon->kernel_interface, - this->me, this->other, - policy->my_net, policy->other_net, - policy->my_net_mask, policy->other_net_mask, + this->me.addr, this->other.addr, + policy->me.net, policy->other.net, + policy->me.net_mask, policy->other.net_mask, XFRM_POLICY_OUT, policy->upper_proto); charon->kernel_interface->del_policy(charon->kernel_interface, - this->other, this->me, - policy->other_net, policy->my_net, - policy->other_net_mask, policy->my_net_mask, + this->other.addr, this->me.addr, + policy->other.net, policy->me.net, + policy->other.net_mask, policy->me.net_mask, XFRM_POLICY_IN, policy->upper_proto); charon->kernel_interface->del_policy(charon->kernel_interface, - this->other, this->me, - policy->other_net, policy->my_net, - policy->other_net_mask, policy->my_net_mask, + this->other.addr, this->me.addr, + policy->other.net, policy->me.net, + policy->other.net_mask, policy->me.net_mask, XFRM_POLICY_FWD, policy->upper_proto); - policy->my_net->destroy(policy->my_net); - policy->other_net->destroy(policy->other_net); + policy->me.net->destroy(policy->me.net); + policy->other.net->destroy(policy->other.net); free(policy); } this->policies->destroy(this->policies); /* delete SAs in the kernel, if they are set up */ - if (this->my_ah_spi) + if (this->protocol != PROTO_NONE) { charon->kernel_interface->del_sa(charon->kernel_interface, - this->other, this->my_ah_spi, PROTO_AH); + this->other.addr, this->me.spi, this->protocol); charon->kernel_interface->del_sa(charon->kernel_interface, - this->me, this->other_ah_spi, PROTO_AH); - } - if (this->my_esp_spi) - { - charon->kernel_interface->del_sa(charon->kernel_interface, - this->other, this->my_esp_spi, PROTO_ESP); - charon->kernel_interface->del_sa(charon->kernel_interface, - this->me, this->other_esp_spi, PROTO_ESP); + this->me.addr, this->other.spi, this->protocol); } free(this); } @@ -569,13 +509,15 @@ static void destroy(private_child_sa_t *this) /* * Described in header. */ -child_sa_t * child_sa_create(host_t *me, host_t* other) +child_sa_t * child_sa_create(host_t *me, host_t* other, u_int32_t soft_lifetime, u_int32_t hard_lifetime) { static u_int32_t reqid = 2000000000; private_child_sa_t *this = malloc_thing(private_child_sa_t); /* public functions */ this->public.get_reqid = (u_int32_t(*)(child_sa_t*))get_reqid; + this->public.get_spi = (u_int32_t(*)(child_sa_t*, bool))get_spi; + this->public.get_protocol = (protocol_id_t(*)(child_sa_t*))get_protocol; this->public.alloc = (status_t(*)(child_sa_t*,linked_list_t*))alloc; this->public.add = (status_t(*)(child_sa_t*,proposal_t*,prf_plus_t*))add; this->public.update = (status_t(*)(child_sa_t*,proposal_t*,prf_plus_t*))update; @@ -585,14 +527,15 @@ child_sa_t * child_sa_create(host_t *me, host_t* other) /* private data */ this->logger = logger_manager->get_logger(logger_manager, CHILD_SA); - this->me = me; - this->other = other; - this->my_ah_spi = 0; - this->my_esp_spi = 0; - this->other_ah_spi = 0; - this->other_esp_spi = 0; + this->me.addr = me; + this->other.addr = other; + this->me.spi = 0; + this->other.spi = 0; + this->soft_lifetime = soft_lifetime; + this->hard_lifetime = hard_lifetime; this->reqid = ++reqid; this->policies = linked_list_create(); + this->protocol = PROTO_NONE; return (&this->public); } diff --git a/src/charon/sa/child_sa.h b/src/charon/sa/child_sa.h index d32a56152..921b570af 100644 --- a/src/charon/sa/child_sa.h +++ b/src/charon/sa/child_sa.h @@ -27,6 +27,7 @@ #include #include #include +#include #include typedef struct child_sa_t child_sa_t; @@ -69,6 +70,27 @@ struct child_sa_t { */ u_int32_t (*get_reqid)(child_sa_t *this); + /** + * @brief Get the SPI of this CHILD_SA. + * + * Set the boolean parameter inbound to TRUE to + * get the SPI for which we receive packets, use + * FALSE to get those we use for sending packets. + * + * @param this calling object + * @param inbound TRUE to get inbound SPI, FALSE for outbound. + * @return spi of the CHILD SA + */ + u_int32_t (*get_spi) (child_sa_t *this, bool inbound); + + /** + * @brief Get the protocol which this CHILD_SA uses to protect traffic. + * + * @param this calling object + * @return AH | ESP + */ + protocol_id_t (*get_protocol) (child_sa_t *this); + /** * @brief Allocate SPIs for a given proposals. * @@ -112,7 +134,7 @@ struct child_sa_t { /** * @brief Install the policies using some traffic selectors. - * + * * Supplied lists of traffic_selector_t's specify the policies * to use for this child sa. * @@ -151,10 +173,12 @@ struct child_sa_t { * * @param me own address * @param other remote address + * @param soft_lifetime time before rekeying + * @param hard_lifteime time before delete * @return child_sa_t object * * @ingroup sa */ -child_sa_t * child_sa_create(host_t *me, host_t *other); +child_sa_t * child_sa_create(host_t *me, host_t *other, u_int32_t soft_lifetime, u_int32_t hard_lifetime); #endif /*CHILD_SA_H_*/ diff --git a/src/charon/sa/ike_sa.c b/src/charon/sa/ike_sa.c index eae7ad3d1..363e2264d 100644 --- a/src/charon/sa/ike_sa.c +++ b/src/charon/sa/ike_sa.c @@ -38,8 +38,10 @@ #include #include #include +#include #include #include +#include #include #include #include @@ -63,7 +65,7 @@ struct private_ike_sa_t { * Identifier for the current IKE_SA. */ ike_sa_id_t *ike_sa_id; - + /** * Linked List containing the child sa's of the current IKE_SA. */ @@ -84,30 +86,12 @@ struct private_ike_sa_t { state_t *current_state; /** - * INIT configuration, needed for the IKE_SA_INIT exchange. - * - * Gets set in states: - * - INITATOR_INIT - * - RESPONDER_INIT - * - * Available in states: - * - IKE_SA_INIT_REQUESTED - * - IKE_SA_INIT_RESPONDED - * - IKE_AUTH_REQUESTED - * -IKE_SA_ESTABLISHED + * Connection definition used for this IKE_SA */ connection_t *connection; /** - * SA configuration, needed for all other exchanges after IKE_SA_INIT exchange. - * - * Gets set in states: - * - IKE_SA_INIT_REQUESTED - * - IKE_SA_INIT_RESPONDED - * - * Available in states: - * - IKE_AUTH_REQUESTED - * -IKE_SA_ESTABLISHED + * Policy definition used for this IKE_SA */ policy_t *policy; @@ -189,77 +173,6 @@ struct private_ike_sa_t { logger_t *logger; }; -/** - * Implementation of ike_sa_t.process_message. - */ -static status_t process_message(private_ike_sa_t *this, message_t *message) -{ - u_int32_t message_id; - exchange_type_t exchange_type; - bool is_request; - /* We must process each request or response from remote host */ - - /* Find out type of message (request or response) */ - is_request = message->get_request(message); - exchange_type = message->get_exchange_type(message); - - this->logger->log(this->logger, CONTROL|LEVEL1, "Process %s of exchange type %s", - (is_request) ? "request" : "response",mapping_find(exchange_type_m,exchange_type)); - - message_id = message->get_message_id(message); - - /* - * It has to be checked, if the message has to be resent cause of lost packets! - */ - if (is_request && (message_id == (this->message_id_in - 1))) - { - /* resend last message, if any */ - if (this->last_responded_message) - { - packet_t *packet = this->last_responded_message->get_packet(this->last_responded_message); - this->logger->log(this->logger, CONTROL|LEVEL1, "Resent request detected. Send stored reply."); - charon->send_queue->add(charon->send_queue, packet); - return SUCCESS; - } - else - { - /* somebody does something nasty here... */ - return FAILED; - } - } - - /* Now, the message id is checked for request AND reply */ - if (is_request) - { - /* In a request, the message has to be this->message_id_in (other case is already handled) */ - if (message_id != this->message_id_in) - { - this->logger->log(this->logger, ERROR | LEVEL1, - "Message request with message id %d received, but %d expected", - message_id,this->message_id_in); - return FAILED; - } - } - else - { - /* In a reply, the message has to be this->message_id_out -1 cause it is the reply to the last sent message*/ - if (message_id != (this->message_id_out - 1)) - { - this->logger->log(this->logger, ERROR | LEVEL1, - "Message reply with message id %d received, but %d expected", - message_id,this->message_id_in); - return FAILED; - } - } - - /* now the message is processed by the current state object. - * The specific state object is responsible to check if a message can be received in - * the state it represents. - * The current state is also responsible to change the state object to the next state - * by calling protected_ike_sa_t.set_new_state*/ - return this->current_state->process_message(this->current_state,message); -} - /** * Implementation of protected_ike_sa_t.build_message. */ @@ -283,95 +196,6 @@ static void build_message(private_ike_sa_t *this, exchange_type_t type, bool req *message = new_message; } -/** - * Implementation of protected_ike_sa_t.initiate_connection. - */ -static status_t initiate_connection(private_ike_sa_t *this, connection_t *connection) -{ - initiator_init_t *current_state; - - /* Work is done in state object of type INITIATOR_INIT. All other states are not - * initial states and so don't have a initiate_connection function */ - - if (this->current_state->get_state(this->current_state) != INITIATOR_INIT) - { - return FAILED; - } - - current_state = (initiator_init_t *) this->current_state; - - return current_state->initiate_connection(current_state, connection); -} - -/** - * Implementation of ike_sa_t.get_id. - */ -static ike_sa_id_t* get_id(private_ike_sa_t *this) -{ - return this->ike_sa_id; -} - -/** - * Implementation of ike_sa_t.get_my_host. - */ -static host_t* get_my_host(private_ike_sa_t *this) -{ - return this->connection->get_my_host(this->connection);; -} - -/** - * Implementation of ike_sa_t.get_other_host. - */ -static host_t* get_other_host(private_ike_sa_t *this) -{ - return this->connection->get_other_host(this->connection);; -} - -/** - * Implementation of ike_sa_t.get_my_id. - */ -static identification_t* get_my_id(private_ike_sa_t *this) -{ - return this->policy->get_my_id(this->policy);; -} - -/** - * Implementation of ike_sa_t.get_other_id. - */ -static identification_t* get_other_id(private_ike_sa_t *this) -{ - return this->policy->get_other_id(this->policy);; -} - -/** - * Implementation of ike_sa_t.retransmit_request. - */ -status_t retransmit_request (private_ike_sa_t *this, u_int32_t message_id) -{ - packet_t *packet; - - if (this->last_requested_message == NULL) - { - return NOT_FOUND; - } - - if (message_id == this->last_replied_message_id) - { - return NOT_FOUND; - } - - if ((this->last_requested_message->get_message_id(this->last_requested_message)) != message_id) - { - return NOT_FOUND; - } - - this->logger->log(this->logger, CONTROL | LEVEL1, "Going to retransmit message with id %d",message_id); - packet = this->last_requested_message->get_packet(this->last_requested_message); - charon->send_queue->add(charon->send_queue, packet); - - return SUCCESS; -} - /** * Implementation of ike_sa_t.get_state. */ @@ -454,6 +278,74 @@ static prf_t *get_prf_auth_r(private_ike_sa_t *this) { return this->prf_auth_r; } +/** + * Implementation of ike_sa_t.get_id. + */ +static ike_sa_id_t* get_id(private_ike_sa_t *this) +{ + return this->ike_sa_id; +} + +/** + * Implementation of ike_sa_t.get_my_host. + */ +static host_t* get_my_host(private_ike_sa_t *this) +{ + return this->connection->get_my_host(this->connection);; +} + +/** + * Implementation of ike_sa_t.get_other_host. + */ +static host_t* get_other_host(private_ike_sa_t *this) +{ + return this->connection->get_other_host(this->connection);; +} + +/** + * Implementation of ike_sa_t.get_my_id. + */ +static identification_t* get_my_id(private_ike_sa_t *this) +{ + return this->policy->get_my_id(this->policy);; +} + +/** + * Implementation of ike_sa_t.get_other_id. + */ +static identification_t* get_other_id(private_ike_sa_t *this) +{ + return this->policy->get_other_id(this->policy);; +} + +/** + * Implementation of ike_sa_t.retransmit_request. + */ +status_t retransmit_request (private_ike_sa_t *this, u_int32_t message_id) +{ + packet_t *packet; + + if (this->last_requested_message == NULL) + { + return NOT_FOUND; + } + + if (message_id == this->last_replied_message_id) + { + return NOT_FOUND; + } + + if ((this->last_requested_message->get_message_id(this->last_requested_message)) != message_id) + { + return NOT_FOUND; + } + + this->logger->log(this->logger, CONTROL | LEVEL1, "Going to retransmit message with id %d",message_id); + packet = this->last_requested_message->get_packet(this->last_requested_message); + charon->send_queue->add(charon->send_queue, packet); + + return SUCCESS; +} /** @@ -468,13 +360,13 @@ static status_t build_transforms(private_ike_sa_t *this, proposal_t *proposal, d size_t key_size; /* - * Build the PRF+ instance for deriving keys - */ + * Build the PRF+ instance for deriving keys + */ if (this->prf != NULL) { this->prf->destroy(this->prf); } - proposal->get_algorithm(proposal, PROTO_IKE, PSEUDO_RANDOM_FUNCTION, &algo); + proposal->get_algorithm(proposal, PSEUDO_RANDOM_FUNCTION, &algo); if (algo == NULL) { this->logger->log(this->logger, ERROR|LEVEL2, "No PRF algoithm selected!?"); @@ -511,10 +403,10 @@ static status_t build_transforms(private_ike_sa_t *this, proposal_t *proposal, d chunk_free(&secret); /* prf+ (SKEYSEED, Ni | Nr | SPIi | SPIr ) - * = SK_d | SK_ai | SK_ar | SK_ei | SK_er | SK_pi | SK_pr - * - * we use the prf directly for prf+ - */ + * = SK_d | SK_ai | SK_ar | SK_ei | SK_er | SK_pi | SK_pr + * + * we use the prf directly for prf+ + */ this->prf->set_key(this->prf, skeyseed); prf_plus = prf_plus_create(this->prf, nonces_spis); @@ -525,9 +417,9 @@ static status_t build_transforms(private_ike_sa_t *this, proposal_t *proposal, d /* - * We now can derive all of our key. We build the transforms - * directly. - */ + * We now can derive all of our key. We build the transforms + * directly. + */ /* SK_d used for prf+ to derive keys for child SAs */ @@ -540,7 +432,7 @@ static status_t build_transforms(private_ike_sa_t *this, proposal_t *proposal, d /* SK_ai/SK_ar used for integrity protection */ - proposal->get_algorithm(proposal, PROTO_IKE, INTEGRITY_ALGORITHM, &algo); + proposal->get_algorithm(proposal, INTEGRITY_ALGORITHM, &algo); if (algo == NULL) { this->logger->log(this->logger, ERROR|LEVEL2, "No integrity algoithm selected?!"); @@ -578,7 +470,7 @@ static status_t build_transforms(private_ike_sa_t *this, proposal_t *proposal, d /* SK_ei/SK_er used for encryption */ - proposal->get_algorithm(proposal, PROTO_IKE, ENCRYPTION_ALGORITHM, &algo); + proposal->get_algorithm(proposal, ENCRYPTION_ALGORITHM, &algo); if (algo == NULL) { this->logger->log(this->logger, ERROR|LEVEL2, "No encryption algoithm selected!?"); @@ -616,7 +508,7 @@ static status_t build_transforms(private_ike_sa_t *this, proposal_t *proposal, d chunk_free(&key); /* SK_pi/SK_pr used for authentication */ - proposal->get_algorithm(proposal, PROTO_IKE, PSEUDO_RANDOM_FUNCTION, &algo); + proposal->get_algorithm(proposal, PSEUDO_RANDOM_FUNCTION, &algo); if (this->prf_auth_i != NULL) { this->prf_auth_i->destroy(this->prf_auth_i); @@ -701,7 +593,7 @@ static status_t send_request(private_ike_sa_t *this, message_t *message) if (message->get_message_id(message) != this->message_id_out) { this->logger->log(this->logger, ERROR, "Message could not be sent cause id (%d) was not as expected (%d)", - message->get_message_id(message),this->message_id_out); + message->get_message_id(message),this->message_id_out); return FAILED; } @@ -727,8 +619,8 @@ static status_t send_request(private_ike_sa_t *this, message_t *message) } this->logger->log(this->logger, CONTROL|LEVEL3, - "Add request packet with message id %d to global send queue", - this->message_id_out); + "Add request packet with message id %d to global send queue", + this->message_id_out); charon->send_queue->add(charon->send_queue, packet); /* replace last message for retransmit with current */ @@ -754,8 +646,8 @@ static status_t send_request(private_ike_sa_t *this, message_t *message) /* message counter can now be increased */ this->logger->log(this->logger, CONTROL|LEVEL3, - "Increase message counter for outgoing messages from %d", - this->message_id_out); + "Increase message counter for outgoing messages from %d", + this->message_id_out); this->message_id_out++; return SUCCESS; } @@ -795,8 +687,8 @@ static status_t send_response(private_ike_sa_t *this, message_t *message) } this->logger->log(this->logger, CONTROL|LEVEL3, - "Add response packet with message id %d to global send queue", - this->message_id_in); + "Add response packet with message id %d to global send queue", + this->message_id_in); charon->send_queue->add(charon->send_queue, packet); if (this->last_responded_message != NULL) @@ -827,7 +719,7 @@ static void send_notify(private_ike_sa_t *this, exchange_type_t exchange_type, n this->logger->log(this->logger, CONTROL|LEVEL2, "Going to build message with notify payload"); /* set up the reply */ - this->protected.build_message(&(this->protected), exchange_type, FALSE, &response); + build_message(this, exchange_type, FALSE, &response); payload = notify_payload_create_from_protocol_and_type(PROTO_IKE, type); if ((data.ptr != NULL) && (data.len > 0)) { @@ -886,6 +778,220 @@ static void add_child_sa(private_ike_sa_t *this, child_sa_t *child_sa) this->child_sas->insert_last(this->child_sas, child_sa); } +/** + * Process an informational request + */ +static status_t process_informational(private_ike_sa_t *this, message_t *request) +{ + delete_payload_t *delete_request = NULL; + message_t *response; + iterator_t *payloads; + state_t *old_state; + + build_message(this, INFORMATIONAL, FALSE, &response); + + payloads = request->get_payload_iterator(request); + while (payloads->has_next(payloads)) + { + payload_t *payload; + payloads->current(payloads, (void**)&payload); + + switch (payload->get_type(payload)) + { + case DELETE: + { + delete_request = (delete_payload_t *) payload; + break; + } + default: + { + this->logger->log(this->logger, ERROR|LEVEL1, "Ignoring Payload %s (%d)", + mapping_find(payload_type_m, payload->get_type(payload)), + payload->get_type(payload)); + break; + } + } + } + /* iterator can be destroyed */ + payloads->destroy(payloads); + + if (delete_request) + { + if (delete_request->get_protocol_id(delete_request) == PROTO_IKE) + { + this->logger->log(this->logger, CONTROL, "DELETE request for IKE_SA received"); + if (send_response(this, response) != SUCCESS) + { + /* something is seriously wrong, kill connection */ + this->logger->log(this->logger, AUDIT, "Unable to send reply. Deleting IKE_SA"); + response->destroy(response); + } + /* switch to delete_requested. This is not absolutly correct, but we + * allow the clean destruction of an SA only in this state. */ + old_state = this->current_state; + set_new_state(this, (state_t*)delete_requested_create(this)); + old_state->destroy(old_state); + return DESTROY_ME; + } + else + { + this->logger->log(this->logger, CONTROL, "DELETE request for CHILD_SA received. Ignored"); + response->destroy(response); + return FAILED; + } + } + return SUCCESS; +} + + +/** + * Process an informational request + */ +static status_t process_create_child_sa(private_ike_sa_t *this, message_t *request) +{ + +} + +/** + * Implementation of ike_sa_t.process_message. + */ +static status_t process_message(private_ike_sa_t *this, message_t *message) +{ + u_int32_t message_id; + exchange_type_t exchange_type; + bool is_request; + status_t status; + crypter_t *crypter; + signer_t *signer; + + /* Find out type of message (request or response) */ + is_request = message->get_request(message); + exchange_type = message->get_exchange_type(message); + + this->logger->log(this->logger, CONTROL|LEVEL1, "Process %s of exchange type %s", + (is_request) ? "request" : "response", + mapping_find(exchange_type_m, exchange_type)); + + message_id = message->get_message_id(message); + + /* check if message already received, and retransmit its reply */ + if (is_request && (message_id == (this->message_id_in - 1))) + { + /* resend last message, if any */ + if (this->last_responded_message) + { + packet_t *packet = this->last_responded_message->get_packet(this->last_responded_message); + this->logger->log(this->logger, CONTROL|LEVEL1, "Resent request detected. Send stored reply."); + charon->send_queue->add(charon->send_queue, packet); + return SUCCESS; + } + else + { + /* somebody does something nasty here... */ + return FAILED; + } + } + + /* Now, the message id is checked for request AND reply */ + if (is_request) + { + /* In a request, the message has to be this->message_id_in (other case is already handled) */ + if (message_id != this->message_id_in) + { + this->logger->log(this->logger, ERROR | LEVEL1, + "Message request with message id %d received, but %d expected", + message_id,this->message_id_in); + return FAILED; + } + } + else + { + /* In a reply, the message has to be this->message_id_out -1 cause it is the reply to the last sent message*/ + if (message_id != (this->message_id_out - 1)) + { + this->logger->log(this->logger, ERROR | LEVEL1, + "Message reply with message id %d received, but %d expected", + message_id,this->message_id_in); + return FAILED; + } + } + + if (this->current_state->get_state(this->current_state) == IKE_SA_ESTABLISHED) + { + if (is_request) + { + /* get signer for verification and crypter for decryption */ + if (!this->ike_sa_id->is_initiator(this->ike_sa_id)) + { + crypter = this->crypter_initiator; + signer = this->signer_initiator; + } + else + { + crypter = this->crypter_responder; + signer = this->signer_responder; + } + + /* parse incoming message */ + status = message->parse_body(message, crypter, signer); + if (status != SUCCESS) + { + this->logger->log(this->logger, AUDIT, "%s request decryption failed. Ignoring message", + mapping_find(exchange_type_m, message->get_exchange_type(message))); + return status; + } + switch (message->get_exchange_type(message)) + { + case CREATE_CHILD_SA: + return process_create_child_sa(this, message); + case INFORMATIONAL: + return process_informational(this, message); + default: + this->logger->log(this->logger, CONTROL, + "Received a %s request, ignored", + mapping_find(exchange_type_m, exchange_type)); + } + } + else + { + this->logger->log(this->logger, ERROR|LEVEL1, + "Received an unexpected %s response, ignored", + mapping_find(exchange_type_m, exchange_type)); + } + return FAILED; + } + else + { + /* now the message is processed by the current state object. + * The specific state object is responsible to check if a message can be received in + * the state it represents. + * The current state is also responsible to change the state object to the next state + * by calling protected_ike_sa_t.set_new_state + */ + return this->current_state->process_message(this->current_state, message); + } +} + +/** + * Implementation of protected_ike_sa_t.initiate_connection. + */ +static status_t initiate_connection(private_ike_sa_t *this, connection_t *connection) +{ + initiator_init_t *current_state; + + /* Work is done in state object of type INITIATOR_INIT. All other states are not + * initial states and so don't have a initiate_connection function */ + + if (this->current_state->get_state(this->current_state) != INITIATOR_INIT) + { + return FAILED; + } + + current_state = (initiator_init_t *) this->current_state; + + return current_state->initiate_connection(current_state, connection); +} + /** * Implementation of ike_sa_t.get_child_sa. */ @@ -908,6 +1014,83 @@ static child_sa_t *get_child_sa(private_ike_sa_t *this, u_int32_t reqid) return found; } +/** + * Implementation of ike_sa_t.delete_child_sa. + */ +static status_t delete_child_sa(private_ike_sa_t *this, u_int32_t reqid) +{ + return NOT_FOUND; +} + +/** + * Implementation of ike_sa_t.rekey_child_sa. + */ +static status_t rekey_child_sa(private_ike_sa_t *this, u_int32_t reqid) +{ + message_t *request; + child_sa_t *child_sa; + notify_payload_t *notify; + sa_payload_t *sa_payload; + ts_payload_t *tsi_payload, *tsr_payload; + nonce_payload_t *nonce_payload; + policy_t *policy; + randomizer_t *randomizer; + linked_list_t *proposals; + chunk_t nonce; + linked_list_t *my_ts, *other_ts; + state_t *old_state; + + if (this->current_state->get_state(this->current_state) != IKE_SA_ESTABLISHED) + { + this->logger->log(this->logger, ERROR|LEVEL1, + "Rekeying of an IKE_SA not in state IKE_SA_ESTABLISHED, aborting", reqid); + return FAILED; + } + + child_sa = get_child_sa(this, reqid); + if (child_sa == NULL) + { + this->logger->log(this->logger, ERROR|LEVEL1, + "IKE_SA does not contain a CHILD_SA with reqid %d", reqid); + return FAILED; + } + + build_message(this, CREATE_CHILD_SA, TRUE, &request); + notify = notify_payload_create_from_protocol_and_type( + child_sa->get_protocol(child_sa), REKEY_SA); + notify->set_spi(notify, child_sa->get_spi(child_sa, TRUE)); + request->add_payload(request, (payload_t*)notify); + + proposals = this->policy->get_proposals(this->policy); + sa_payload = sa_payload_create_from_proposal_list(proposals); + request->add_payload(request, (payload_t*)sa_payload); + + nonce_payload = nonce_payload_create(); + if (this->randomizer->allocate_pseudo_random_bytes(this->randomizer, + NONCE_SIZE, &nonce)) + { + request->destroy(request); + return FAILED; + } + nonce_payload->set_nonce(nonce_payload, nonce); + request->add_payload(request, (payload_t*)nonce_payload); + + my_ts = this->policy->get_my_traffic_selectors(this->policy); + other_ts = this->policy->get_my_traffic_selectors(this->policy); + tsi_payload = ts_payload_create_from_traffic_selectors(TRUE, my_ts); + tsr_payload = ts_payload_create_from_traffic_selectors(FALSE, other_ts); + request->add_payload(request, (payload_t*)tsi_payload); + request->add_payload(request, (payload_t*)tsr_payload); + + send_request(this, request); + + old_state = this->current_state; + set_new_state(this, (state_t*)create_child_sa_requested_create(&this->protected, nonce)); + old_state->destroy(old_state); + + return SUCCESS; +} + /** * Implementation of protected_ike_sa_t.reset_message_buffers. */ @@ -1125,7 +1308,6 @@ static void destroy(private_ike_sa_t *this) this->ike_sa_id->destroy(this->ike_sa_id); this->randomizer->destroy(this->randomizer); this->current_state->destroy(this->current_state); - free(this); } @@ -1135,10 +1317,12 @@ static void destroy(private_ike_sa_t *this) ike_sa_t * ike_sa_create(ike_sa_id_t *ike_sa_id) { private_ike_sa_t *this = malloc_thing(private_ike_sa_t); - + /* Public functions */ this->protected.public.process_message = (status_t(*)(ike_sa_t*, message_t*)) process_message; this->protected.public.initiate_connection = (status_t(*)(ike_sa_t*,connection_t*)) initiate_connection; + this->protected.public.delete_child_sa = (status_t(*)(ike_sa_t*,u_int32_t)) delete_child_sa; + this->protected.public.rekey_child_sa = (status_t(*)(ike_sa_t*,u_int32_t)) rekey_child_sa; this->protected.public.get_child_sa = (child_sa_t*(*)(ike_sa_t*,u_int32_t))get_child_sa; this->protected.public.get_id = (ike_sa_id_t*(*)(ike_sa_t*)) get_id; this->protected.public.get_my_host = (host_t*(*)(ike_sa_t*)) get_my_host; @@ -1153,7 +1337,7 @@ ike_sa_t * ike_sa_create(ike_sa_id_t *ike_sa_id) this->protected.public.destroy = (void(*)(ike_sa_t*))destroy; /* protected functions */ - this->protected.build_message = (void (*) (protected_ike_sa_t *, exchange_type_t , bool , message_t **)) build_message; + this->protected.build_message = (void (*) (protected_ike_sa_t *, exchange_type_t,bool,message_t**)) build_message; this->protected.get_prf = (prf_t *(*) (protected_ike_sa_t *)) get_prf; this->protected.get_child_prf = (prf_t *(*) (protected_ike_sa_t *)) get_child_prf; this->protected.get_prf_auth_i = (prf_t *(*) (protected_ike_sa_t *)) get_prf_auth_i; diff --git a/src/charon/sa/ike_sa.h b/src/charon/sa/ike_sa.h index db0c120df..d73dc7165 100644 --- a/src/charon/sa/ike_sa.h +++ b/src/charon/sa/ike_sa.h @@ -126,6 +126,34 @@ struct ike_sa_t { */ child_sa_t* (*get_child_sa) (ike_sa_t *this, u_int32_t reqid); + /** + * @brief Close the CHILD SA with the specified reqid. + * + * Looks for a CHILD SA owned by this IKE_SA, deletes it and + * notify's the remote peer about the delete. The associated + * states and policies in the kernel get deleted, if they exist. + * + * @param this calling object + * @param reqid reqid of the child SA, as used in the kernel + * @return + * - NOT_FOUND, if IKE_SA has no such CHILD_SA + * - SUCCESS, if deleted and delete message sent + */ + status_t (*delete_child_sa) (ike_sa_t *this, u_int32_t reqid); + + /** + * @brief Rekey the CHILD SA with the specified reqid. + * + * Looks for a CHILD SA owned by this IKE_SA, and start the rekeing. + * + * @param this calling object + * @param spi security parameter index identifying the SA to rekey + * @return + * - NOT_FOUND, if IKE_SA has no such CHILD_SA + * - SUCCESS, if rekeying initiated + */ + status_t (*rekey_child_sa) (ike_sa_t *this, u_int32_t reqid); + /** * @brief Get local peer address of the IKE_SA. * diff --git a/src/charon/sa/states/create_child_sa_requested.c b/src/charon/sa/states/create_child_sa_requested.c new file mode 100644 index 000000000..2ff37983b --- /dev/null +++ b/src/charon/sa/states/create_child_sa_requested.c @@ -0,0 +1,112 @@ +/** + * @file create_child_sa_requested.c + * + * @brief State after a CREATE_CHILD_SA request was sent. + * + */ + +/* + * Copyright (C) 2006 Martin Willi + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "create_child_sa_requested.h" + +#include +#include +#include +#include +#include +#include + + +typedef struct private_create_child_sa_requested_t private_create_child_sa_requested_t; + +/** + * Private data of a create_child_sa_requested_t object. + */ +struct private_create_child_sa_requested_t { + /** + * Public interface of create_child_sa_requested_t. + */ + create_child_sa_requested_t public; + + /** + * Assigned IKE_SA. + */ + protected_ike_sa_t *ike_sa; + + /** + * nonce chosen by initiator + */ + chunk_t nonce_i; + + /** + * nonce chosen by the responder + */ + chunk_t nonce_r; + + /** + * Assigned logger. + * + * Is logger of ike_sa! + */ + logger_t *logger; +}; + +/** + * Implements state_t.get_state + */ +static status_t process_message(private_create_child_sa_requested_t *this, message_t *request) +{ + this->logger->log(this->logger, ERROR, "NOT IMPLEMENTED"); +} + +/** + * Implements state_t.get_state + */ +static ike_sa_state_t get_state(private_create_child_sa_requested_t *this) +{ + return CREATE_CHILD_SA_REQUESTED; +} + +/** + * Implementation of state_t.destroy. + */ +static void destroy(private_create_child_sa_requested_t *this) +{ + chunk_free(&this->nonce_i); + chunk_free(&this->nonce_r); + free(this); +} + +/* + * Described in header. + */ +create_child_sa_requested_t *create_child_sa_requested_create(protected_ike_sa_t *ike_sa, chunk_t nonce_i) +{ + private_create_child_sa_requested_t *this = malloc_thing(private_create_child_sa_requested_t); + + /* interface functions */ + this->public.state_interface.process_message = (status_t (*) (state_t *,message_t *)) process_message; + this->public.state_interface.get_state = (ike_sa_state_t (*) (state_t *)) get_state; + this->public.state_interface.destroy = (void (*) (state_t *)) destroy; + + /* private data */ + this->ike_sa = ike_sa; + this->nonce_i = nonce_i; + this->nonce_r = CHUNK_INITIALIZER; + this->logger = logger_manager->get_logger(logger_manager, IKE_SA); + + return &(this->public); +} diff --git a/src/charon/sa/states/create_child_sa_requested.h b/src/charon/sa/states/create_child_sa_requested.h new file mode 100644 index 000000000..f6f8f011d --- /dev/null +++ b/src/charon/sa/states/create_child_sa_requested.h @@ -0,0 +1,57 @@ +/** + * @file create_child_sa_requested.h + * + * @brief Interface of create_child_sa_requested_t. + * + */ + +/* + * Copyright (C) 2006 Martin Willi + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#ifndef CREATE_CHILD_SA_REQEUSTED_H_ +#define CREATE_CHILD_SA_REQEUSTED_H_ + +#include +#include + +typedef struct create_child_sa_requested_t create_child_sa_requested_t; + +/** + * @brief State after a CREATE_CHILD_SA request was sent. + * + * @b Constructors: + * - create_child_sa_requested_create() + * + * @ingroup states + */ +struct create_child_sa_requested_t { + /** + * methods of the state_t interface + */ + state_t state_interface; +}; + +/** + * @brief Constructor of class create_child_sa_requested_t + * + * @param ike_sa assigned ike_sa + * @param nonce nonce sent at initialization + * @return created create_child_sa_requested_t object + * + * @ingroup states + */ +create_child_sa_requested_t *create_child_sa_requested_create(protected_ike_sa_t *ike_sa, chunk_t nonce_i); + +#endif /*CREATE_CHILD_SA_REQEUSTED_H_*/ diff --git a/src/charon/sa/states/ike_sa_established.c b/src/charon/sa/states/ike_sa_established.c index 782b608dc..acbbb3781 100644 --- a/src/charon/sa/states/ike_sa_established.c +++ b/src/charon/sa/states/ike_sa_established.c @@ -48,138 +48,13 @@ struct private_ike_sa_established_t { logger_t *logger; }; -/** - * Process an informational request - */ -static status_t process_informational(private_ike_sa_established_t *this, message_t *request, message_t *response) -{ - delete_payload_t *delete_request = NULL; - iterator_t *payloads = request->get_payload_iterator(request); - - while (payloads->has_next(payloads)) - { - payload_t *payload; - payloads->current(payloads, (void**)&payload); - - switch (payload->get_type(payload)) - { - case DELETE: - { - delete_request = (delete_payload_t *) payload; - break; - } - default: - { - this->logger->log(this->logger, ERROR|LEVEL1, "Ignoring Payload %s (%d)", - mapping_find(payload_type_m, payload->get_type(payload)), - payload->get_type(payload)); - break; - } - } - } - /* iterator can be destroyed */ - payloads->destroy(payloads); - - if (delete_request) - { - if (delete_request->get_protocol_id(delete_request) == PROTO_IKE) - { - this->logger->log(this->logger, CONTROL, "DELETE request for IKE_SA received"); - /* we reply with an empty informational message */ - return DESTROY_ME; - } - else - { - this->logger->log(this->logger, CONTROL, "DELETE request for CHILD_SA received. Ignored"); - response->destroy(response); - return SUCCESS; - } - } - return SUCCESS; -} /** * Implements state_t.get_state */ static status_t process_message(private_ike_sa_established_t *this, message_t *message) { - delete_payload_t *delete_request = NULL; - ike_sa_id_t *ike_sa_id; - iterator_t *payloads; - message_t *response; - crypter_t *crypter; - signer_t *signer; - status_t status; - - /* only requests are allowed, responses are handled in sub-states */ - if (!message->get_request(message)) - { - this->logger->log(this->logger, ERROR | LEVEL1, - "INFORMATIONAL responses not handled in state ike_sa_established"); - return FAILED; - } - - /* get signer for verification and crypter for decryption */ - ike_sa_id = this->ike_sa->public.get_id(&(this->ike_sa->public)); - if (!ike_sa_id->is_initiator(ike_sa_id)) - { - crypter = this->ike_sa->get_crypter_initiator(this->ike_sa); - signer = this->ike_sa->get_signer_initiator(this->ike_sa); - } - else - { - crypter = this->ike_sa->get_crypter_responder(this->ike_sa); - signer = this->ike_sa->get_signer_responder(this->ike_sa); - } - - /* parse incoming message */ - status = message->parse_body(message, crypter, signer); - if (status != SUCCESS) - { - this->logger->log(this->logger, AUDIT, "%s request decryption failed. Ignoring message", - mapping_find(exchange_type_m, message->get_exchange_type(message))); - return status; - } - - /* prepare a reply of the same type */ - this->ike_sa->build_message(this->ike_sa, message->get_exchange_type(message), FALSE, &response); - - /* handle the different message types in their functions */ - switch (message->get_exchange_type(message)) - { - case INFORMATIONAL: - status = process_informational(this, message, response); - break; - default: - this->logger->log(this->logger, ERROR | LEVEL1, - "Message of type %s currently not supported in state ike_sa_established", - mapping_find(exchange_type_m, message->get_exchange_type(message))); - status = NOT_SUPPORTED; - } - - /* if we get a DESTROY_ME, we respond to follow strict request/reply scheme */ - if (status == SUCCESS || status == DESTROY_ME) - { - if (this->ike_sa->send_response(this->ike_sa, response) != SUCCESS) - { - /* something is seriously wrong, kill connection */ - this->logger->log(this->logger, AUDIT, "Unable to send reply. Deleting IKE_SA"); - response->destroy(response); - status = DESTROY_ME; - } - else if (status == DESTROY_ME) - { - /* switch to delete_requested. This is not absolutly correct, but we - * allow the clean destruction of an SA only in this state. */ - this->ike_sa->set_new_state(this->ike_sa, (state_t*)delete_requested_create(this)); - this->public.state_interface.destroy(&(this->public.state_interface)); - } - } - else - { - response->destroy(response); - } - return status; + } /** diff --git a/src/charon/sa/states/ike_sa_init_requested.c b/src/charon/sa/states/ike_sa_init_requested.c index a2ba3d301..40b0f9551 100644 --- a/src/charon/sa/states/ike_sa_init_requested.c +++ b/src/charon/sa/states/ike_sa_init_requested.c @@ -572,7 +572,9 @@ static status_t build_sa_payload (private_ike_sa_init_requested_t *this, message /* build child sa */ connection = this->ike_sa->get_connection(this->ike_sa); this->child_sa = child_sa_create(connection->get_my_host(connection), - connection->get_other_host(connection)); + connection->get_other_host(connection), + policy->get_soft_lifetime(policy), + policy->get_hard_lifetime(policy)); if (this->child_sa->alloc(this->child_sa, proposal_list) != SUCCESS) { this->logger->log(this->logger, AUDIT, "Could not install CHILD_SA! Deleting IKE_SA"); diff --git a/src/charon/sa/states/ike_sa_init_responded.c b/src/charon/sa/states/ike_sa_init_responded.c index 50ca73b49..f9d1e8405 100644 --- a/src/charon/sa/states/ike_sa_init_responded.c +++ b/src/charon/sa/states/ike_sa_init_responded.c @@ -441,6 +441,7 @@ static status_t build_sa_payload(private_ike_sa_init_responded_t *this, sa_paylo prf_plus_t *prf_plus; status_t status; connection_t *connection; + policy_t *policy; /* prepare reply */ sa_response = sa_payload_create(); @@ -474,9 +475,12 @@ static status_t build_sa_payload(private_ike_sa_init_responded_t *this, sa_paylo prf_plus = prf_plus_create(this->ike_sa->get_child_prf(this->ike_sa), seed); chunk_free(&seed); + policy = this->ike_sa->get_policy(this->ike_sa); connection = this->ike_sa->get_connection(this->ike_sa); this->child_sa = child_sa_create(connection->get_my_host(connection), - connection->get_other_host(connection)); + connection->get_other_host(connection), + policy->get_soft_lifetime(policy), + policy->get_hard_lifetime(policy)); status = this->child_sa->add(this->child_sa, proposal, prf_plus); prf_plus->destroy(prf_plus); diff --git a/src/charon/sa/states/initiator_init.c b/src/charon/sa/states/initiator_init.c index 8aa5bad98..8f27acf5c 100644 --- a/src/charon/sa/states/initiator_init.c +++ b/src/charon/sa/states/initiator_init.c @@ -159,14 +159,15 @@ status_t retry_initiate_connection (private_initiator_init_t *this, diffie_hellm message_t *message; status_t status; - if (dh_group == MODP_UNDEFINED) + this->diffie_hellman = diffie_hellman_create(dh_group); + if (this->diffie_hellman == NULL) { - this->logger->log(this->logger, AUDIT, "No DH group acceptable for initialization, Aborting"); + this->logger->log(this->logger, AUDIT, "DH group %s (%d) not supported, aborting", + mapping_find(diffie_hellman_group_m, dh_group), dh_group); return DESTROY_ME; } connection = this->ike_sa->get_connection(this->ike_sa); - this->diffie_hellman = diffie_hellman_create(dh_group); ike_sa_id = this->ike_sa->public.get_id(&(this->ike_sa->public)); ike_sa_id->set_responder_spi(ike_sa_id,0); @@ -174,12 +175,10 @@ status_t retry_initiate_connection (private_initiator_init_t *this, diffie_hellm this->logger->log(this->logger, CONTROL|LEVEL2, "Going to build message"); this->ike_sa->build_message(this->ike_sa, IKE_SA_INIT, TRUE, &message); - /* build SA payload */ + /* build SA payload */ this->build_sa_payload(this, message); - /* build KE payload */ this->build_ke_payload(this, message); - /* build Nonce payload */ status = this->build_nonce_payload(this, message); if (status != SUCCESS) @@ -188,7 +187,6 @@ status_t retry_initiate_connection (private_initiator_init_t *this, diffie_hellm message->destroy(message); return DESTROY_ME; } - /* message can now be sent (must not be destroyed) */ status = this->ike_sa->send_request(this->ike_sa, message); if (status != SUCCESS) @@ -244,7 +242,7 @@ static void build_ke_payload(private_initiator_init_t *this, message_t *request) this->logger->log(this->logger, CONTROL|LEVEL1, "Building KE payload"); - this->diffie_hellman->get_my_public_value(this->diffie_hellman,&key_data); + this->diffie_hellman->get_my_public_value(this->diffie_hellman, &key_data); dh_group = this->diffie_hellman->get_dh_group(this->diffie_hellman); ke_payload = ke_payload_create(); diff --git a/src/charon/sa/states/responder_init.c b/src/charon/sa/states/responder_init.c index 8ee77269d..2923bbb27 100644 --- a/src/charon/sa/states/responder_init.c +++ b/src/charon/sa/states/responder_init.c @@ -343,7 +343,7 @@ static status_t build_sa_payload(private_responder_init_t *this,sa_payload_t *sa return DESTROY_ME; } /* get selected DH group to force policy, this is very restrictive!? */ - this->proposal->get_algorithm(this->proposal, PROTO_IKE, DIFFIE_HELLMAN_GROUP, &algo); + this->proposal->get_algorithm(this->proposal, DIFFIE_HELLMAN_GROUP, &algo); this->dh_group_number = algo->algorithm; this->logger->log(this->logger, CONTROL | LEVEL2, "SA Payload processed"); diff --git a/src/charon/sa/states/state.c b/src/charon/sa/states/state.c index eda29870b..b91c6cfe1 100644 --- a/src/charon/sa/states/state.c +++ b/src/charon/sa/states/state.c @@ -34,5 +34,6 @@ mapping_t ike_sa_state_m[] = { {IKE_AUTH_REQUESTED, "IKE_AUTH_REQUESTED"}, {IKE_SA_ESTABLISHED, "IKE_SA_ESTABLISHED"}, {DELETE_REQUESTED, "DELETE_REQUESTED"}, + {CREATE_CHILD_SA_REQUESTED, "CREATE_CHILD_SA_REQUESTED"}, {MAPPING_END, NULL} }; diff --git a/src/charon/sa/states/state.h b/src/charon/sa/states/state.h index 0f39aec01..77193e7cf 100644 --- a/src/charon/sa/states/state.h +++ b/src/charon/sa/states/state.h @@ -34,6 +34,8 @@ typedef enum ike_sa_state_t ike_sa_state_t; * * @todo Support of more states (CHILD_SA_REQUESTED, etc...) * + * @see state_t for state diagram + * * @ingroup states */ enum ike_sa_state_t { @@ -54,7 +56,7 @@ enum ike_sa_state_t { * * Implemented in class responder_init_t. */ - RESPONDER_INIT = 2, + RESPONDER_INIT, /** * @brief A IKE_SA_INIT request was sent. In this state a reply of type IKE_SA_INIT is expected. @@ -65,7 +67,7 @@ enum ike_sa_state_t { * * Implemented in class ike_sa_init_requested_t. */ - IKE_SA_INIT_REQUESTED = 3, + IKE_SA_INIT_REQUESTED, /** * @brief A IKE_SA_INIT response was sent. In this state a request of type IKE_AUTH is expected. @@ -74,7 +76,7 @@ enum ike_sa_state_t { * * Implemented in class ike_sa_init_responded_t. */ - IKE_SA_INIT_RESPONDED = 4, + IKE_SA_INIT_RESPONDED, /** * @brief An IKE_AUTH request was sent after a successful IKE_SA_INIT-exchange. @@ -83,7 +85,7 @@ enum ike_sa_state_t { * * Implemented in class ike_auth_requested_t. */ - IKE_AUTH_REQUESTED = 5, + IKE_AUTH_REQUESTED, /** * @brief An IKE_AUTH exchange was successfuly handled either as initiator or responder. @@ -92,7 +94,7 @@ enum ike_sa_state_t { * * Implemented in class ike_sa_established_t. */ - IKE_SA_ESTABLISHED = 6, + IKE_SA_ESTABLISHED, /** * @brief An IKE SA has sent a DELETE IKE_SA to the other peer. @@ -103,7 +105,9 @@ enum ike_sa_state_t { * * Implemented in class delete_requested. */ - DELETE_REQUESTED = 7 + DELETE_REQUESTED, + + CREATE_CHILD_SA_REQUESTED, }; @@ -117,24 +121,57 @@ typedef struct state_t state_t; /** * @brief This interface represents an IKE_SA state. + * + * A state_t object is responsible to handle incoming messages. States + * are exclusive, an IKE_SA is exactly in one state. They are used on IKE_SA + * setup, as there is a strict scheme message exchange follow. This can be + * mapped in a state machine. Every state is represented in a single class, + * and the IKE_SA may switch these states by replacing the owned state. + @verbatim + initiator responder + --------- --------- + + ¦ ¦ + V ¦ + +-----------------------+ ¦ + ¦ initiator_init ¦ msg1 V + +-----------------------+ -----> +-----------------------+ + ¦ msg2 ¦ responder_init ¦ + V <----- +-----------------------+ + +-----------------------+ ¦ + ¦ ike_sa_init_requested ¦ msg3 V + +-----------------------+ -----> +-----------------------+ + ¦ msg4 ¦ ike_sa_init_requested ¦ + V <----- +-----------------------+ + +-----------------------+ ¦ + ¦ ike_auth_requested ¦ ¦ + +-----------------------+ ¦ + ¦ ¦ + V V + +---------------------------+ + ¦ ike_sa_established ¦ + +---------------------------+ + ¦ + V + +---------------------------+ + ¦ delete_requested ¦ + +---------------------------+ + + msg1 = IKE_SA_INIT request + msg2 = IKE_SA_INIT response + msg3 = IKE_AUTH request + msg4 = IKE_AUTH response + @endverbatim + * Every state can be left by deleting the IKE_SA, except the state + * ike_sa_established: it must switch to the delete_requested state first, + * as the peer must be informed about the delete. * - * A state_t object is responsible to handle incoming messages. - * - * It's the responsibility of the state_t object to parse the body of the message and to process each - * payload. - * - * Needed Configurations and transform objects can be retrieved over an internal stored protected_ike_sa_t object - * which is passed to a state_t object when creating it (see different constructors). - * - * The following states are supported and implemented: - * - INITIATOR_INIT: implemented in initiator_init_t - * - RESPONDER_INIT: implemented in responder_init_t - * - IKE_SA_INIT_REQUESTED: implemented in ike_sa_init_requested_t - * - IKE_SA_INIT_RESPONDED: implemented in ike_sa_init_responded_t - * - IKE_AUTH_REQUESTED: implemented in ike_auth_requested_t - * - IKE_SA_ESTABLISHED: implemented in ike_sa_established_t - * - DELETE_REQUESTED: implemented in delete_requested_t - * + * For the handling of message in a established IKE_SA, another concept is used. + * The state-concept is good if a single state is possible. But in a established + * IKE_SA, there is no strict message order, and if a window size > 1 is used, + * multiple "states" would be possible. We call this transactions, better + * descripted in the transaction_t interface. + * * @b Constructors: * - initiator_init_create() * - responder_init_create() @@ -176,4 +213,4 @@ struct state_t { void (*destroy) (state_t *this); }; -#endif /*STATE_H_*/ +#endif /* STATE_H_ */ diff --git a/src/charon/testing/Makefile.am b/src/charon/testing/Makefile.am index 857ef067b..e34b8291a 100644 --- a/src/charon/testing/Makefile.am +++ b/src/charon/testing/Makefile.am @@ -29,7 +29,7 @@ $(top_srcdir)/src/charon/ke_payload.o $(top_srcdir)/src/charon/unknown_payload.o $(top_srcdir)/src/charon/delete_payload.o $(top_srcdir)/src/charon/sa_payload.o $(top_srcdir)/src/charon/certreq_payload.o $(top_srcdir)/src/charon/vendor_id_payload.o \ $(top_srcdir)/src/charon/proposal_substructure.o $(top_srcdir)/src/charon/payload.o $(top_srcdir)/src/charon/message.o $(top_srcdir)/src/charon/generator.o \ $(top_srcdir)/src/charon/parser.o $(top_srcdir)/src/charon/packet.o $(top_srcdir)/src/charon/socket.o $(top_srcdir)/src/charon/job.o \ -$(top_srcdir)/src/charon/delete_child_sa_job.o $(top_srcdir)/src/charon/rekey_child_sa_job.o \ +$(top_srcdir)/src/charon/delete_child_sa_job.o $(top_srcdir)/src/charon/rekey_child_sa_job.o $(top_srcdir)/src/charon/create_child_sa_requested.o \ $(top_srcdir)/src/charon/delete_established_ike_sa_job.o $(top_srcdir)/src/charon/incoming_packet_job.o $(top_srcdir)/src/charon/delete_half_open_ike_sa_job.o \ $(top_srcdir)/src/charon/retransmit_request_job.o $(top_srcdir)/src/charon/initiate_ike_sa_job.o $(top_srcdir)/src/charon/job_queue.o $(top_srcdir)/src/charon/event_queue.o \ $(top_srcdir)/src/charon/send_queue.o $(top_srcdir)/src/charon/kernel_interface.o $(top_srcdir)/src/charon/thread_pool.o $(top_srcdir)/src/charon/scheduler.o \ diff --git a/src/charon/testing/child_sa_test.c b/src/charon/testing/child_sa_test.c index 0cf354c26..f36ab74d4 100644 --- a/src/charon/testing/child_sa_test.c +++ b/src/charon/testing/child_sa_test.c @@ -49,14 +49,14 @@ void test_child_sa(protected_tester_t *tester) remote_me = host_create(AF_INET, "192.168.0.3", 0); remote_other = host_create(AF_INET, "192.168.0.4", 0); - local_sa = child_sa_create(local_me, local_other); - remote_sa = child_sa_create(remote_me, remote_other); + local_sa = child_sa_create(local_me, local_other, 5, 10); + remote_sa = child_sa_create(remote_me, remote_other, 5, 10); - proposal1 = proposal_create(1); - proposal1->add_algorithm(proposal1, PROTO_ESP, ENCRYPTION_ALGORITHM, ENCR_AES_CBC, 16); + proposal1 = proposal_create(PROTO_ESP); + proposal1->add_algorithm(proposal1, ENCRYPTION_ALGORITHM, ENCR_AES_CBC, 16); - proposal2 = proposal_create(2); - proposal2->add_algorithm(proposal2, PROTO_AH, INTEGRITY_ALGORITHM, AUTH_HMAC_SHA1_96, 0); + proposal2 = proposal_create(PROTO_AH); + proposal2->add_algorithm(proposal2, INTEGRITY_ALGORITHM, AUTH_HMAC_SHA1_96, 0); list = linked_list_create(); list->insert_last(list, proposal1); diff --git a/src/charon/testing/connection_test.c b/src/charon/testing/connection_test.c index 9478b0e57..9ba4ef39b 100644 --- a/src/charon/testing/connection_test.c +++ b/src/charon/testing/connection_test.c @@ -37,29 +37,29 @@ void test_connection(protected_tester_t *tester) proposal_t *prop1, *prop2, *prop3, *prop4; linked_list_t *list; - prop1 = proposal_create(1); - prop1->add_algorithm(prop1, PROTO_IKE, ENCRYPTION_ALGORITHM, ENCR_AES_CBC, 20); - prop1->add_algorithm(prop1, PROTO_IKE, INTEGRITY_ALGORITHM, AUTH_HMAC_SHA1_96, 20); - prop1->add_algorithm(prop1, PROTO_IKE, PSEUDO_RANDOM_FUNCTION, PRF_HMAC_SHA1, 20); - prop1->add_algorithm(prop1, PROTO_IKE, DIFFIE_HELLMAN_GROUP, MODP_2048_BIT, 0); + prop1 = proposal_create(PROTO_IKE); + prop1->add_algorithm(prop1, ENCRYPTION_ALGORITHM, ENCR_AES_CBC, 20); + prop1->add_algorithm(prop1, INTEGRITY_ALGORITHM, AUTH_HMAC_SHA1_96, 20); + prop1->add_algorithm(prop1, PSEUDO_RANDOM_FUNCTION, PRF_HMAC_SHA1, 20); + prop1->add_algorithm(prop1, DIFFIE_HELLMAN_GROUP, MODP_2048_BIT, 0); - prop2 = proposal_create(2); - prop2->add_algorithm(prop2, PROTO_IKE, ENCRYPTION_ALGORITHM, ENCR_AES_CBC, 20); - prop2->add_algorithm(prop2, PROTO_IKE, INTEGRITY_ALGORITHM, AUTH_HMAC_SHA1_96, 20); - prop2->add_algorithm(prop2, PROTO_IKE, PSEUDO_RANDOM_FUNCTION, PRF_HMAC_MD5, 20); - prop2->add_algorithm(prop2, PROTO_IKE, DIFFIE_HELLMAN_GROUP, MODP_1024_BIT, 0); + prop2 = proposal_create(PROTO_IKE); + prop2->add_algorithm(prop2, ENCRYPTION_ALGORITHM, ENCR_AES_CBC, 20); + prop2->add_algorithm(prop2, INTEGRITY_ALGORITHM, AUTH_HMAC_SHA1_96, 20); + prop2->add_algorithm(prop2, PSEUDO_RANDOM_FUNCTION, PRF_HMAC_MD5, 20); + prop2->add_algorithm(prop2, DIFFIE_HELLMAN_GROUP, MODP_1024_BIT, 0); - prop3 = proposal_create(3); - prop3->add_algorithm(prop3, PROTO_IKE, ENCRYPTION_ALGORITHM, ENCR_DES, 20); - prop3->add_algorithm(prop3, PROTO_IKE, INTEGRITY_ALGORITHM, AUTH_HMAC_SHA1_96, 20); - prop3->add_algorithm(prop3, PROTO_IKE, PSEUDO_RANDOM_FUNCTION, PRF_HMAC_MD5, 20); - prop3->add_algorithm(prop3, PROTO_IKE, DIFFIE_HELLMAN_GROUP, MODP_768_BIT, 0); + prop3 = proposal_create(PROTO_IKE); + prop3->add_algorithm(prop3, ENCRYPTION_ALGORITHM, ENCR_DES, 20); + prop3->add_algorithm(prop3, INTEGRITY_ALGORITHM, AUTH_HMAC_SHA1_96, 20); + prop3->add_algorithm(prop3, PSEUDO_RANDOM_FUNCTION, PRF_HMAC_MD5, 20); + prop3->add_algorithm(prop3, DIFFIE_HELLMAN_GROUP, MODP_768_BIT, 0); - prop4 = proposal_create(4); - prop4->add_algorithm(prop4, PROTO_IKE, ENCRYPTION_ALGORITHM, ENCR_3DES, 20); - prop4->add_algorithm(prop4, PROTO_IKE, INTEGRITY_ALGORITHM, AUTH_HMAC_SHA1_96, 20); - prop4->add_algorithm(prop4, PROTO_IKE, PSEUDO_RANDOM_FUNCTION, PRF_HMAC_TIGER, 20); - prop4->add_algorithm(prop4, PROTO_IKE, DIFFIE_HELLMAN_GROUP, MODP_768_BIT, 0); + prop4 = proposal_create(PROTO_IKE); + prop4->add_algorithm(prop4, ENCRYPTION_ALGORITHM, ENCR_3DES, 20); + prop4->add_algorithm(prop4, INTEGRITY_ALGORITHM, AUTH_HMAC_SHA1_96, 20); + prop4->add_algorithm(prop4, PSEUDO_RANDOM_FUNCTION, PRF_HMAC_TIGER, 20); + prop4->add_algorithm(prop4, DIFFIE_HELLMAN_GROUP, MODP_768_BIT, 0); connection->add_proposal(connection, prop1); connection->add_proposal(connection, prop2); diff --git a/src/charon/testing/generator_test.c b/src/charon/testing/generator_test.c index 02f1f446b..8ce7cf5b7 100644 --- a/src/charon/testing/generator_test.c +++ b/src/charon/testing/generator_test.c @@ -568,17 +568,17 @@ void test_generator_with_sa_payload(protected_tester_t *tester) tester->assert_true(tester,(generator != NULL), "generator create check"); - proposal1 = proposal_create(1); - proposal1->add_algorithm(proposal1, PROTO_IKE, ENCRYPTION_ALGORITHM, 1, 20); - proposal1->add_algorithm(proposal1, PROTO_IKE, PSEUDO_RANDOM_FUNCTION, 2, 22); - proposal1->add_algorithm(proposal1, PROTO_IKE, INTEGRITY_ALGORITHM, 3, 24); - proposal1->add_algorithm(proposal1, PROTO_IKE, DIFFIE_HELLMAN_GROUP, 4, 0); + proposal1 = proposal_create(PROTO_IKE); + proposal1->add_algorithm(proposal1, ENCRYPTION_ALGORITHM, 1, 20); + proposal1->add_algorithm(proposal1, PSEUDO_RANDOM_FUNCTION, 2, 22); + proposal1->add_algorithm(proposal1, INTEGRITY_ALGORITHM, 3, 24); + proposal1->add_algorithm(proposal1, DIFFIE_HELLMAN_GROUP, 4, 0); - proposal2 = proposal_create(2); - proposal2->add_algorithm(proposal2, PROTO_IKE, ENCRYPTION_ALGORITHM, 5, 26); - proposal2->add_algorithm(proposal2, PROTO_IKE, PSEUDO_RANDOM_FUNCTION, 6, 28); - proposal2->add_algorithm(proposal2, PROTO_IKE, INTEGRITY_ALGORITHM, 7, 30); - proposal2->add_algorithm(proposal2, PROTO_IKE, DIFFIE_HELLMAN_GROUP, 8, 0); + proposal2 = proposal_create(PROTO_IKE); + proposal2->add_algorithm(proposal2, ENCRYPTION_ALGORITHM, 5, 26); + proposal2->add_algorithm(proposal2, PSEUDO_RANDOM_FUNCTION, 6, 28); + proposal2->add_algorithm(proposal2, INTEGRITY_ALGORITHM, 7, 30); + proposal2->add_algorithm(proposal2, DIFFIE_HELLMAN_GROUP, 8, 0); list = linked_list_create(); list->insert_last(list, (void*)proposal1); @@ -630,121 +630,7 @@ void test_generator_with_sa_payload(protected_tester_t *tester) proposal1->destroy(proposal1); proposal2->destroy(proposal2); chunk_free(&generated_data); - generator->destroy(generator); - - - /* --------------------------- */ - /* test with automatic created child proposals */ - - generator = generator_create(); - tester->assert_true(tester,(generator != NULL), "generator create check"); - - - proposal1 = proposal_create(1); - - proposal1->add_algorithm(proposal1, PROTO_AH, INTEGRITY_ALGORITHM, AUTH_HMAC_MD5_96, 20); - proposal1->add_algorithm(proposal1, PROTO_AH, DIFFIE_HELLMAN_GROUP, MODP_2048_BIT, 0); - proposal1->add_algorithm(proposal1, PROTO_AH, EXTENDED_SEQUENCE_NUMBERS, EXT_SEQ_NUMBERS, 0); - proposal1->set_spi(proposal1, PROTO_AH, 0x01010101l); - - proposal1->add_algorithm(proposal1, PROTO_ESP, ENCRYPTION_ALGORITHM, ENCR_AES_CBC, 20); - proposal1->add_algorithm(proposal1, PROTO_ESP, DIFFIE_HELLMAN_GROUP, MODP_1024_BIT, 0); - proposal1->set_spi(proposal1, PROTO_ESP, 0x02020202); - - - proposal2->add_algorithm(proposal2, PROTO_AH, INTEGRITY_ALGORITHM, AUTH_HMAC_MD5_96, 20); - proposal2->add_algorithm(proposal2, PROTO_AH, DIFFIE_HELLMAN_GROUP, MODP_2048_BIT, 0); - proposal2->add_algorithm(proposal2, PROTO_AH, EXTENDED_SEQUENCE_NUMBERS, EXT_SEQ_NUMBERS, 0); - proposal2->set_spi(proposal2, PROTO_AH, 0x01010101); - - proposal2->add_algorithm(proposal2, PROTO_ESP, ENCRYPTION_ALGORITHM, ENCR_AES_CBC, 32); - proposal2->add_algorithm(proposal2, PROTO_ESP, INTEGRITY_ALGORITHM, AUTH_HMAC_MD5_96, 20); - proposal2->add_algorithm(proposal2, PROTO_ESP, DIFFIE_HELLMAN_GROUP, MODP_1024_BIT, 0); - proposal2->set_spi(proposal2, PROTO_ESP, 0x02020202); - - list->insert_last(list, (void*)proposal1); - list->insert_last(list, (void*)proposal2); - - sa_payload = sa_payload_create_from_proposal_list(list); - tester->assert_true(tester,(sa_payload != NULL), "sa_payload create check"); - - generator->generate_payload(generator,(payload_t *)sa_payload); - generator->write_to_chunk(generator,&generated_data); - logger->log_chunk(logger,RAW,"generated",generated_data); - - u_int8_t expected_generation3[] = { - 0x00,0x00,0x00,0xA0, /* payload header*/ - - /* suite 1 */ - 0x02,0x00,0x00,0x28, /* a proposal */ - 0x01,0x02,0x04,0x03, - 0x01,0x01,0x01,0x01, - 0x03,0x00,0x00,0x0C, /* transform 1 */ - 0x03,0x00,0x00,0x01, - 0x80,0x0E,0x00,0x14, /* keylength attribute with 20 bytes length */ - - 0x03,0x00,0x00,0x08, /* transform 2 */ - 0x04,0x00,0x00,0x0E, - - 0x00,0x00,0x00,0x08, /* transform 3 */ - 0x05,0x00,0x00,0x01, - - - 0x02,0x00,0x00,0x20, /* a proposal */ - 0x01,0x03,0x04,0x02, - 0x02,0x02,0x02,0x02, - - 0x03,0x00,0x00,0x0C, /* transform 1 */ - 0x01,0x00,0x00,0x0C, - 0x80,0x0E,0x00,0x20, /* keylength attribute with 32 bytes length */ - - 0x00,0x00,0x00,0x08, /* transform 2 */ - 0x04,0x00,0x00,0x02, - - /* suite 2 */ - 0x02,0x00,0x00,0x28, /* a proposal */ - 0x02,0x02,0x04,0x03, - 0x01,0x01,0x01,0x01, - 0x03,0x00,0x00,0x0C, /* transform 1 */ - 0x03,0x00,0x00,0x01, - 0x80,0x0E,0x00,0x14, /* keylength attribute with 20 bytes length */ - - 0x03,0x00,0x00,0x08, /* transform 2 */ - 0x04,0x00,0x00,0x0E, - - 0x00,0x00,0x00,0x08, /* transform 3 */ - 0x05,0x00,0x00,0x01, - - - 0x00,0x00,0x00,0x2C, /* a proposal */ - 0x02,0x03,0x04,0x03, - 0x02,0x02,0x02,0x02, - - 0x03,0x00,0x00,0x0C, /* transform 1 */ - 0x01,0x00,0x00,0x0C, - 0x80,0x0E,0x00,0x20, /* keylength attribute with 32 bytes length */ - - 0x03,0x00,0x00,0x0C, /* transform 2 */ - 0x03,0x00,0x00,0x01, - 0x80,0x0E,0x00,0x14, /* keylength attribute with 20 bytes length */ - - 0x00,0x00,0x00,0x08, /* transform 3 */ - 0x04,0x00,0x00,0x02, - - }; - - - logger->log_bytes(logger,RAW,"expected",expected_generation3,sizeof(expected_generation3)); - - tester->assert_true(tester,(memcmp(expected_generation3,generated_data.ptr,sizeof(expected_generation3)) == 0), "compare generated data"); - - sa_payload->destroy(sa_payload); - proposal1->destroy(proposal1); - proposal2->destroy(proposal2); - list->destroy(list); - chunk_free(&generated_data); - generator->destroy(generator); - + generator->destroy(generator); } /* @@ -819,16 +705,12 @@ void test_generator_with_notify_payload(protected_tester_t *tester) notify_payload = notify_payload_create(); - - spi.ptr = "12345"; - spi.len = strlen(spi.ptr); - notification_data.ptr = "67890"; notification_data.len = strlen(notification_data.ptr); notify_payload->set_protocol_id(notify_payload,255); notify_payload->set_notify_message_type(notify_payload,63333); /* Hex F765 */ - notify_payload->set_spi(notify_payload,spi); + notify_payload->set_spi(notify_payload, 0x3132333435); notify_payload->set_notification_data(notify_payload,notification_data); generator->generate_payload(generator,(payload_t *)notify_payload); diff --git a/src/charon/testing/parser_test.c b/src/charon/testing/parser_test.c index 263c6eb70..87069cda0 100644 --- a/src/charon/testing/parser_test.c +++ b/src/charon/testing/parser_test.c @@ -532,6 +532,7 @@ void test_parser_with_notify_payload(protected_tester_t *tester) notify_payload_t *notify_payload; status_t status; chunk_t notify_chunk, result; + u_int32_t spi; u_int8_t notify_bytes[] = { 0x00,0x00,0x00,0x1C, /* payload header */ @@ -559,8 +560,8 @@ void test_parser_with_notify_payload(protected_tester_t *tester) tester->assert_true(tester,(notify_payload->get_protocol_id(notify_payload) == 3), "Protocol id"); tester->assert_true(tester,(notify_payload->get_notify_message_type(notify_payload) == 1), "notify message type"); - result = notify_payload->get_spi(notify_payload); - tester->assert_false(tester,(memcmp(notify_bytes + 8, result.ptr, result.len)), "parsed spi"); + spi = notify_payload->get_spi(notify_payload); + tester->assert_false(tester, spi == 0x01020303, "parsed spi"); result = notify_payload->get_notification_data(notify_payload); tester->assert_false(tester,(memcmp(notify_bytes + 12, result.ptr, result.len)), "parsed notification data"); diff --git a/src/charon/testing/policy_test.c b/src/charon/testing/policy_test.c index 639f9462f..074d03d78 100644 --- a/src/charon/testing/policy_test.c +++ b/src/charon/testing/policy_test.c @@ -34,98 +34,90 @@ */ void test_policy(protected_tester_t *tester) { - policy_t *policy; -// traffic_selector_t *ts; -// linked_list_t *ts_stored, *ts_supplied, *ts_selected, *ts_expected; - proposal_t *proposal1, *proposal2, *proposal3, *proposal_sel; - linked_list_t *proposals_list; - iterator_t *iterator; - logger_t *logger; - identification_t *alice, *bob; - - logger = logger_manager->get_logger(logger_manager, TESTER); - logger->disable_level(logger, FULL); - - alice = identification_create_from_string("152.96.193.131"); - bob = identification_create_from_string("152.96.193.130"); - policy = policy_create("test", alice, bob); - - tester->assert_true(tester, (policy != NULL), "policy construction"); - - - /* - * test proposal getting and selection - * - */ - - /* esp only prop */ - proposal1 = proposal_create(1); - proposal1->add_algorithm(proposal1, PROTO_ESP, ENCRYPTION_ALGORITHM, ENCR_AES_CBC, 16); - - /* ah only prop */ - proposal2 = proposal_create(2); - proposal2->add_algorithm(proposal2, PROTO_AH, INTEGRITY_ALGORITHM, AUTH_HMAC_SHA1_96, 20); - - /* ah and esp prop */ - proposal3 = proposal_create(3); - proposal3->add_algorithm(proposal3, PROTO_ESP, ENCRYPTION_ALGORITHM, ENCR_3DES, 16); - proposal3->add_algorithm(proposal3, PROTO_AH, INTEGRITY_ALGORITHM, AUTH_HMAC_MD5_96, 20); - - - policy->add_proposal(policy, proposal1); - policy->add_proposal(policy, proposal2); - policy->add_proposal(policy, proposal3); - - - proposals_list = policy->get_proposals(policy); - tester->assert_true(tester, (proposals_list->get_count(proposals_list) == 3), "proposal count"); - - - proposals_list = linked_list_create(); - proposal1 = proposal_create(1); - proposal1->add_algorithm(proposal1, PROTO_ESP, ENCRYPTION_ALGORITHM, ENCR_AES_CBC, 32); - proposal2 = proposal_create(2); - proposal2->add_algorithm(proposal2, PROTO_ESP, ENCRYPTION_ALGORITHM, ENCR_AES_CBC, 16); - proposal2->add_algorithm(proposal2, PROTO_ESP, ENCRYPTION_ALGORITHM, ENCR_3DES, 16); - proposal2->add_algorithm(proposal2, PROTO_ESP, ENCRYPTION_ALGORITHM, ENCR_BLOWFISH, 0); - proposal2->add_algorithm(proposal2, PROTO_AH, INTEGRITY_ALGORITHM, AUTH_HMAC_SHA1_96, 20); - proposal2->add_algorithm(proposal2, PROTO_AH, INTEGRITY_ALGORITHM, AUTH_HMAC_MD5_96, 20); - - proposals_list->insert_last(proposals_list, proposal1); - proposals_list->insert_last(proposals_list, proposal2); - - proposal_sel = policy->select_proposal(policy, proposals_list); - tester->assert_false(tester, proposal_sel == NULL, "proposal select"); - /* check ESP encryption algo */ - iterator = proposal_sel->create_algorithm_iterator(proposal_sel, PROTO_ESP, ENCRYPTION_ALGORITHM); - tester->assert_false(tester, iterator == NULL, "algorithm select ESP"); - while (iterator->has_next(iterator)) - { - algorithm_t *algo; - iterator->current(iterator, (void**)&algo); - tester->assert_true(tester, algo->algorithm == ENCR_3DES, "ESP encryption algo"); - tester->assert_true(tester, algo->key_size == 16, "ESP encryption keysize"); - } - iterator->destroy(iterator); - iterator = proposal_sel->create_algorithm_iterator(proposal_sel, PROTO_AH, INTEGRITY_ALGORITHM); - /* check AH integrity algo */ - tester->assert_false(tester, iterator == NULL, "algorithm select AH"); - while (iterator->has_next(iterator)) - { - algorithm_t *algo; - iterator->current(iterator, (void**)&algo); - tester->assert_true(tester, algo->algorithm == AUTH_HMAC_MD5_96, "ESP encryption algo"); - tester->assert_true(tester, algo->key_size == 20, "ESP encryption keysize"); - } - iterator->destroy(iterator); - - proposal_sel->destroy(proposal_sel); - - /* cleanup */ - proposal1->destroy(proposal1); - proposal1->destroy(proposal2); - proposals_list->destroy(proposals_list); - +// policy_t *policy; +// // traffic_selector_t *ts; +// // linked_list_t *ts_stored, *ts_supplied, *ts_selected, *ts_expected; +// proposal_t *proposal1, *proposal2, *proposal3, *proposal_sel; +// linked_list_t *proposals_list; +// iterator_t *iterator; +// logger_t *logger; +// identification_t *alice, *bob; +// +// logger = logger_manager->get_logger(logger_manager, TESTER); +// logger->disable_level(logger, FULL); +// +// alice = identification_create_from_string("152.96.193.131"); +// bob = identification_create_from_string("152.96.193.130"); +// policy = policy_create("test", alice, bob); +// +// tester->assert_true(tester, (policy != NULL), "policy construction"); +// +// +// /* +// * test proposal getting and selection +// * +// */ +// +// /* esp only prop */ +// proposal1 = proposal_create(PROTO_ESP); +// proposal1->add_algorithm(proposal1, ENCRYPTION_ALGORITHM, ENCR_AES_CBC, 16); +// +// /* ah only prop */ +// proposal2 = proposal_create(PROTO_AH); +// proposal2->add_algorithm(proposal2, INTEGRITY_ALGORITHM, AUTH_HMAC_SHA1_96, 20); +// +// policy->add_proposal(policy, proposal1); +// policy->add_proposal(policy, proposal2); +// +// proposals_list = policy->get_proposals(policy); +// tester->assert_true(tester, (proposals_list->get_count(proposals_list) == 2), "proposal count"); +// +// +// proposals_list = linked_list_create(); +// proposal1 = proposal_create(1); +// proposal1->add_algorithm(proposal1, PROTO_ESP, ENCRYPTION_ALGORITHM, ENCR_AES_CBC, 32); +// proposal2 = proposal_create(2); +// proposal2->add_algorithm(proposal2, PROTO_ESP, ENCRYPTION_ALGORITHM, ENCR_AES_CBC, 16); +// proposal2->add_algorithm(proposal2, PROTO_ESP, ENCRYPTION_ALGORITHM, ENCR_3DES, 16); +// proposal2->add_algorithm(proposal2, PROTO_ESP, ENCRYPTION_ALGORITHM, ENCR_BLOWFISH, 0); +// proposal2->add_algorithm(proposal2, PROTO_AH, INTEGRITY_ALGORITHM, AUTH_HMAC_SHA1_96, 20); +// proposal2->add_algorithm(proposal2, PROTO_AH, INTEGRITY_ALGORITHM, AUTH_HMAC_MD5_96, 20); +// +// proposals_list->insert_last(proposals_list, proposal1); +// proposals_list->insert_last(proposals_list, proposal2); +// +// proposal_sel = policy->select_proposal(policy, proposals_list); +// tester->assert_false(tester, proposal_sel == NULL, "proposal select"); +// /* check ESP encryption algo */ +// iterator = proposal_sel->create_algorithm_iterator(proposal_sel, PROTO_ESP, ENCRYPTION_ALGORITHM); +// tester->assert_false(tester, iterator == NULL, "algorithm select ESP"); +// while (iterator->has_next(iterator)) +// { +// algorithm_t *algo; +// iterator->current(iterator, (void**)&algo); +// tester->assert_true(tester, algo->algorithm == ENCR_3DES, "ESP encryption algo"); +// tester->assert_true(tester, algo->key_size == 16, "ESP encryption keysize"); +// } +// iterator->destroy(iterator); +// iterator = proposal_sel->create_algorithm_iterator(proposal_sel, PROTO_AH, INTEGRITY_ALGORITHM); +// /* check AH integrity algo */ +// tester->assert_false(tester, iterator == NULL, "algorithm select AH"); +// while (iterator->has_next(iterator)) +// { +// algorithm_t *algo; +// iterator->current(iterator, (void**)&algo); +// tester->assert_true(tester, algo->algorithm == AUTH_HMAC_MD5_96, "ESP encryption algo"); +// tester->assert_true(tester, algo->key_size == 20, "ESP encryption keysize"); +// } +// iterator->destroy(iterator); +// +// proposal_sel->destroy(proposal_sel); +// +// /* cleanup */ +// proposal1->destroy(proposal1); +// proposal1->destroy(proposal2); +// proposals_list->destroy(proposals_list); +// // /* // * test traffic selection getting and matching // * @@ -241,6 +233,6 @@ void test_policy(protected_tester_t *tester) // ts_request[2]->destroy(ts_request[2]); // ts_reference[2]->destroy(ts_reference[2]); // ts_request[3]->destroy(ts_request[3]); - - policy->destroy(policy); +/* + policy->destroy(policy);*/ } diff --git a/src/charon/testing/proposal_test.c b/src/charon/testing/proposal_test.c index 1b16390d3..7adad91f5 100644 --- a/src/charon/testing/proposal_test.c +++ b/src/charon/testing/proposal_test.c @@ -37,58 +37,46 @@ void test_proposal(protected_tester_t *tester) algorithm_t *algo; bool result; - proposal1 = proposal_create(1); - proposal1->add_algorithm(proposal1, PROTO_ESP, ENCRYPTION_ALGORITHM, ENCR_3DES, 0); - proposal1->add_algorithm(proposal1, PROTO_ESP, ENCRYPTION_ALGORITHM, ENCR_AES_CBC, 32); - proposal1->add_algorithm(proposal1, PROTO_ESP, ENCRYPTION_ALGORITHM, ENCR_AES_CBC, 16); - proposal1->add_algorithm(proposal1, PROTO_ESP, ENCRYPTION_ALGORITHM, ENCR_BLOWFISH, 0); - proposal1->add_algorithm(proposal1, PROTO_ESP, INTEGRITY_ALGORITHM, AUTH_HMAC_SHA1_96, 20); - proposal1->add_algorithm(proposal1, PROTO_ESP, INTEGRITY_ALGORITHM, AUTH_HMAC_MD5_96, 20); - proposal1->add_algorithm(proposal1, PROTO_AH, DIFFIE_HELLMAN_GROUP, MODP_1024_BIT, 0); - proposal1->add_algorithm(proposal1, PROTO_AH, DIFFIE_HELLMAN_GROUP, MODP_2048_BIT, 0); + proposal1 = proposal_create(PROTO_ESP); + proposal1->add_algorithm(proposal1, ENCRYPTION_ALGORITHM, ENCR_3DES, 0); + proposal1->add_algorithm(proposal1, ENCRYPTION_ALGORITHM, ENCR_AES_CBC, 32); + proposal1->add_algorithm(proposal1, ENCRYPTION_ALGORITHM, ENCR_AES_CBC, 16); + proposal1->add_algorithm(proposal1, ENCRYPTION_ALGORITHM, ENCR_BLOWFISH, 0); + proposal1->add_algorithm(proposal1, INTEGRITY_ALGORITHM, AUTH_HMAC_SHA1_96, 0); + proposal1->add_algorithm(proposal1, INTEGRITY_ALGORITHM, AUTH_HMAC_MD5_96, 0); + proposal1->add_algorithm(proposal1, DIFFIE_HELLMAN_GROUP, MODP_1024_BIT, 0); + proposal1->add_algorithm(proposal1, DIFFIE_HELLMAN_GROUP, MODP_2048_BIT, 0); - proposal2 = proposal_create(2); - proposal2->add_algorithm(proposal2, PROTO_ESP, ENCRYPTION_ALGORITHM, ENCR_3IDEA, 0); - proposal2->add_algorithm(proposal2, PROTO_ESP, ENCRYPTION_ALGORITHM, ENCR_AES_CBC, 16); - proposal2->add_algorithm(proposal2, PROTO_ESP, INTEGRITY_ALGORITHM, AUTH_HMAC_MD5_96, 20); - proposal1->add_algorithm(proposal2, PROTO_AH, DIFFIE_HELLMAN_GROUP, MODP_1024_BIT, 0); + proposal2 = proposal_create(PROTO_ESP); + proposal2->add_algorithm(proposal2, ENCRYPTION_ALGORITHM, ENCR_3IDEA, 0); + proposal2->add_algorithm(proposal2, ENCRYPTION_ALGORITHM, ENCR_AES_CBC, 0); + proposal2->add_algorithm(proposal2, INTEGRITY_ALGORITHM, AUTH_HMAC_MD5_96, 0); /* ah and esp prop */ proposal3 = proposal1->select(proposal1, proposal2); tester->assert_false(tester, proposal3 == NULL, "proposal select"); if (proposal3) { - result = proposal3->get_algorithm(proposal3, PROTO_ESP, ENCRYPTION_ALGORITHM, &algo); + result = proposal3->get_algorithm(proposal3, ENCRYPTION_ALGORITHM, &algo); tester->assert_true(tester, result, "encryption algo select"); tester->assert_true(tester, algo->algorithm == ENCR_AES_CBC, "encryption algo"); tester->assert_true(tester, algo->key_size == 16, "encryption keylen"); - result = proposal3->get_algorithm(proposal3, PROTO_ESP, INTEGRITY_ALGORITHM, &algo); + result = proposal3->get_algorithm(proposal3, INTEGRITY_ALGORITHM, &algo); tester->assert_true(tester, result, "integrity algo select"); tester->assert_true(tester, algo->algorithm == AUTH_HMAC_MD5_96, "integrity algo"); - tester->assert_true(tester, algo->key_size == 20, "integrity keylen"); + tester->assert_true(tester, algo->key_size == 16, "integrity keylen"); - iterator = proposal3->create_algorithm_iterator(proposal3, PROTO_ESP, INTEGRITY_ALGORITHM); + iterator = proposal3->create_algorithm_iterator(proposal3, INTEGRITY_ALGORITHM); tester->assert_false(tester, iterator == NULL, "integrity algo select"); while(iterator->has_next(iterator)) { iterator->current(iterator, (void**)&algo); tester->assert_true(tester, algo->algorithm == AUTH_HMAC_MD5_96, "integrity algo"); - tester->assert_true(tester, algo->key_size == 20, "integrity keylen"); + tester->assert_true(tester, algo->key_size == 16, "integrity keylen"); } iterator->destroy(iterator); - - iterator = proposal3->create_algorithm_iterator(proposal3, PROTO_AH, DIFFIE_HELLMAN_GROUP ); - tester->assert_false(tester, iterator == NULL, "dh group algo select"); - while(iterator->has_next(iterator)) - { - iterator->current(iterator, (void**)&algo); - tester->assert_true(tester, algo->algorithm == MODP_1024_BIT, "dh group algo"); - tester->assert_true(tester, algo->key_size == 0, "dh gorup keylen"); - } - iterator->destroy(iterator); - proposal3->destroy(proposal3); } diff --git a/src/charon/threads/kernel_interface.c b/src/charon/threads/kernel_interface.c index d88fa3f29..f0844ee5f 100644 --- a/src/charon/threads/kernel_interface.c +++ b/src/charon/threads/kernel_interface.c @@ -677,17 +677,19 @@ static void receive_messages(private_kernel_interface_t *this) job_t *job; this->logger->log(this->logger, CONTROL|LEVEL1, "Received a XFRM_MSG_EXPIRE"); - this->logger->log(this->logger, CONTROL|LEVEL0, - "creating %s job for CHILD_SA with reqid %d", - response.expire.hard ? "delete" : "rekey", - response.expire.state.reqid); if (response.expire.hard) { + this->logger->log(this->logger, CONTROL|LEVEL0, + "creating delete job for CHILD_SA with reqid %d", + response.expire.state.reqid); job = (job_t*)delete_child_sa_job_create( response.expire.state.reqid); } else { + this->logger->log(this->logger, CONTROL|LEVEL0, + "creating rekey job for CHILD_SA with reqid %d", + response.expire.state.reqid); job = (job_t*)rekey_child_sa_job_create( response.expire.state.reqid); } diff --git a/src/charon/threads/stroke_interface.c b/src/charon/threads/stroke_interface.c index 8d62fccb8..00d3d3b27 100755 --- a/src/charon/threads/stroke_interface.c +++ b/src/charon/threads/stroke_interface.c @@ -294,19 +294,19 @@ static void stroke_add_conn(private_stroke_t *this, stroke_msg_t *msg) connection = connection_create(msg->add_conn.name, msg->add_conn.ikev2, my_host, other_host, RSA_DIGITAL_SIGNATURE); - proposal = proposal_create(1); - proposal->add_algorithm(proposal, PROTO_IKE, ENCRYPTION_ALGORITHM, ENCR_AES_CBC, 16); - proposal->add_algorithm(proposal, PROTO_IKE, INTEGRITY_ALGORITHM, AUTH_HMAC_SHA1_96, 0); - proposal->add_algorithm(proposal, PROTO_IKE, INTEGRITY_ALGORITHM, AUTH_HMAC_MD5_96, 0); - proposal->add_algorithm(proposal, PROTO_IKE, PSEUDO_RANDOM_FUNCTION, PRF_HMAC_SHA1, 0); - proposal->add_algorithm(proposal, PROTO_IKE, PSEUDO_RANDOM_FUNCTION, PRF_HMAC_MD5, 0); - proposal->add_algorithm(proposal, PROTO_IKE, DIFFIE_HELLMAN_GROUP, MODP_2048_BIT, 0); - proposal->add_algorithm(proposal, PROTO_IKE, DIFFIE_HELLMAN_GROUP, MODP_1536_BIT, 0); - proposal->add_algorithm(proposal, PROTO_IKE, DIFFIE_HELLMAN_GROUP, MODP_1024_BIT, 0); - proposal->add_algorithm(proposal, PROTO_IKE, DIFFIE_HELLMAN_GROUP, MODP_4096_BIT, 0); - proposal->add_algorithm(proposal, PROTO_IKE, DIFFIE_HELLMAN_GROUP, MODP_8192_BIT, 0); + proposal = proposal_create(PROTO_IKE); + proposal->add_algorithm(proposal, ENCRYPTION_ALGORITHM, ENCR_AES_CBC, 16); + proposal->add_algorithm(proposal, INTEGRITY_ALGORITHM, AUTH_HMAC_SHA1_96, 0); + proposal->add_algorithm(proposal, INTEGRITY_ALGORITHM, AUTH_HMAC_MD5_96, 0); + proposal->add_algorithm(proposal, PSEUDO_RANDOM_FUNCTION, PRF_HMAC_SHA1, 0); + proposal->add_algorithm(proposal, PSEUDO_RANDOM_FUNCTION, PRF_HMAC_MD5, 0); + proposal->add_algorithm(proposal, DIFFIE_HELLMAN_GROUP, MODP_2048_BIT, 0); + proposal->add_algorithm(proposal, DIFFIE_HELLMAN_GROUP, MODP_1536_BIT, 0); + proposal->add_algorithm(proposal, DIFFIE_HELLMAN_GROUP, MODP_1024_BIT, 0); + proposal->add_algorithm(proposal, DIFFIE_HELLMAN_GROUP, MODP_4096_BIT, 0); + proposal->add_algorithm(proposal, DIFFIE_HELLMAN_GROUP, MODP_8192_BIT, 0); connection->add_proposal(connection, proposal); - + /* add to global connection list */ charon->connections->add_connection(charon->connections, connection); this->logger->log(this->logger, CONTROL, "added connection \"%s\": %s[%s]...%s[%s]", @@ -317,10 +317,9 @@ static void stroke_add_conn(private_stroke_t *this, stroke_msg_t *msg) other_id->get_string(other_id)); policy = policy_create(msg->add_conn.name, my_id, other_id); - proposal = proposal_create(1); - proposal->add_algorithm(proposal, PROTO_ESP, ENCRYPTION_ALGORITHM, ENCR_AES_CBC, 16); - proposal->add_algorithm(proposal, PROTO_ESP, INTEGRITY_ALGORITHM, AUTH_HMAC_SHA1_96, 0); - proposal->add_algorithm(proposal, PROTO_ESP, INTEGRITY_ALGORITHM, AUTH_HMAC_MD5_96, 0); + proposal = proposal_create(PROTO_ESP); + proposal->add_algorithm(proposal, ENCRYPTION_ALGORITHM, ENCR_AES_CBC, 16); + proposal->add_algorithm(proposal, INTEGRITY_ALGORITHM, AUTH_HMAC_SHA1_96, 0); policy->add_proposal(policy, proposal); policy->add_my_traffic_selector(policy, my_ts); policy->add_other_traffic_selector(policy, other_ts);