further work for rekeying:
get liftimes from policy added new state initiation of rekeying done proposal redone: removed support for AH+ESP proposals
This commit is contained in:
parent
a401efd091
commit
8d77eddec2
|
@ -13,6 +13,7 @@ sa/states/ike_sa_init_responded.c sa/states/ike_sa_established.c sa/states/ike_s
|
|||
sa/states/responder_init.c sa/states/responder_init.h sa/states/initiator_init.c sa/states/initiator_init.h \
|
||||
sa/states/ike_sa_init_responded.h sa/states/ike_auth_requested.c sa/states/ike_auth_requested.h \
|
||||
sa/states/delete_requested.h sa/states/delete_requested.c \
|
||||
sa/states/create_child_sa_requested.c sa/states/create_child_sa_requested.h \
|
||||
sa/child_sa.c sa/child_sa.h sa/ike_sa.c sa/ike_sa.h sa/ike_sa_manager.c sa/ike_sa_manager.h \
|
||||
sa/ike_sa_id.c sa/ike_sa_id.h sa/authenticator.c sa/authenticator.h encoding/payloads/encryption_payload.c \
|
||||
encoding/payloads/cert_payload.c encoding/payloads/payload.h encoding/payloads/traffic_selector_substructure.c \
|
||||
|
|
|
@ -169,7 +169,6 @@ static proposal_t *select_proposal(private_connection_t *this, linked_list_t *pr
|
|||
}
|
||||
}
|
||||
}
|
||||
|
||||
/* no proposal match :-(, will result in a NO_PROPOSAL_CHOSEN... */
|
||||
stored_iter->destroy(stored_iter);
|
||||
supplied_iter->destroy(supplied_iter);
|
||||
|
@ -206,7 +205,7 @@ static diffie_hellman_group_t get_dh_group(private_connection_t *this)
|
|||
while (iterator->has_next(iterator))
|
||||
{
|
||||
iterator->current(iterator, (void**)&proposal);
|
||||
proposal->get_algorithm(proposal, PROTO_IKE, DIFFIE_HELLMAN_GROUP, &algo);
|
||||
proposal->get_algorithm(proposal, DIFFIE_HELLMAN_GROUP, &algo);
|
||||
if (algo)
|
||||
{
|
||||
iterator->destroy(iterator);
|
||||
|
@ -230,7 +229,7 @@ static bool check_dh_group(private_connection_t *this, diffie_hellman_group_t dh
|
|||
while (prop_iter->has_next(prop_iter))
|
||||
{
|
||||
prop_iter->current(prop_iter, (void**)&proposal);
|
||||
alg_iter = proposal->create_algorithm_iterator(proposal, PROTO_IKE, DIFFIE_HELLMAN_GROUP);
|
||||
alg_iter = proposal->create_algorithm_iterator(proposal, DIFFIE_HELLMAN_GROUP);
|
||||
while (alg_iter->has_next(alg_iter))
|
||||
{
|
||||
alg_iter->current(alg_iter, (void**)&algo);
|
||||
|
|
|
@ -288,6 +288,22 @@ static void add_proposal(private_policy_t *this, proposal_t *proposal)
|
|||
this->proposals->insert_last(this->proposals, (void*)proposal);
|
||||
}
|
||||
|
||||
/**
|
||||
* Implementation of policy_t.get_soft_lifetime
|
||||
*/
|
||||
static u_int32_t get_soft_lifetime(policy_t *this)
|
||||
{
|
||||
return 0; /*5 + random() % 5; */
|
||||
}
|
||||
|
||||
/**
|
||||
* Implementation of policy_t.get_hard_lifetime
|
||||
*/
|
||||
static u_int32_t get_hard_lifetime(policy_t *this)
|
||||
{
|
||||
return 0; /*20; */
|
||||
}
|
||||
|
||||
/**
|
||||
* Implements policy_t.clone.
|
||||
*/
|
||||
|
@ -396,6 +412,8 @@ policy_t *policy_create(char *name, identification_t *my_id, identification_t *o
|
|||
this->public.add_my_traffic_selector = (void(*)(policy_t*,traffic_selector_t*))add_my_traffic_selector;
|
||||
this->public.add_other_traffic_selector = (void(*)(policy_t*,traffic_selector_t*))add_other_traffic_selector;
|
||||
this->public.add_proposal = (void(*)(policy_t*,proposal_t*))add_proposal;
|
||||
this->public.get_soft_lifetime = (u_int32_t (*) (policy_t *))get_soft_lifetime;
|
||||
this->public.get_hard_lifetime = (u_int32_t (*) (policy_t *))get_hard_lifetime;
|
||||
this->public.clone = (policy_t*(*)(policy_t*))clone;
|
||||
this->public.destroy = (void(*)(policy_t*))destroy;
|
||||
|
||||
|
|
|
@ -229,6 +229,25 @@ struct policy_t {
|
|||
*/
|
||||
void (*add_proposal) (policy_t *this, proposal_t *proposal);
|
||||
|
||||
/**
|
||||
* @brief Get the lifetime of a policy, before rekeying starts.
|
||||
*
|
||||
* A call to this function automatically adds a jitter to
|
||||
* avoid simultanous rekeying.
|
||||
*
|
||||
* @param this policy
|
||||
* @return lifetime in seconds
|
||||
*/
|
||||
u_int32_t (*get_soft_lifetime) (policy_t *this);
|
||||
|
||||
/**
|
||||
* @brief Get the lifetime of a policy, before SA gets deleted.
|
||||
*
|
||||
* @param this policy
|
||||
* @return lifetime in seconds
|
||||
*/
|
||||
u_int32_t (*get_hard_lifetime) (policy_t *this);
|
||||
|
||||
/**
|
||||
* @brief Clone a policy.
|
||||
*
|
||||
|
|
|
@ -62,13 +62,18 @@ mapping_t extended_sequence_numbers_m[] = {
|
|||
{MAPPING_END, NULL}
|
||||
};
|
||||
|
||||
|
||||
typedef struct protocol_proposal_t protocol_proposal_t;
|
||||
typedef struct private_proposal_t private_proposal_t;
|
||||
|
||||
/**
|
||||
* substructure which holds all data algos for a specific protocol
|
||||
* Private data of an proposal_t object
|
||||
*/
|
||||
struct protocol_proposal_t {
|
||||
struct private_proposal_t {
|
||||
|
||||
/**
|
||||
* Public part
|
||||
*/
|
||||
proposal_t public;
|
||||
|
||||
/**
|
||||
* protocol (ESP or AH)
|
||||
*/
|
||||
|
@ -102,79 +107,9 @@ struct protocol_proposal_t {
|
|||
/**
|
||||
* senders SPI
|
||||
*/
|
||||
chunk_t spi;
|
||||
u_int64_t spi;
|
||||
};
|
||||
|
||||
|
||||
typedef struct private_proposal_t private_proposal_t;
|
||||
|
||||
/**
|
||||
* Private data of an proposal_t object
|
||||
*/
|
||||
struct private_proposal_t {
|
||||
|
||||
/**
|
||||
* Public part
|
||||
*/
|
||||
proposal_t public;
|
||||
|
||||
/**
|
||||
* number of this proposal, as used in the payload
|
||||
*/
|
||||
u_int8_t number;
|
||||
|
||||
/**
|
||||
* list of protocol_proposal_t's
|
||||
*/
|
||||
linked_list_t *protocol_proposals;
|
||||
};
|
||||
|
||||
/**
|
||||
* Look up a protocol_proposal, or create one if necessary...
|
||||
*/
|
||||
static protocol_proposal_t *get_protocol_proposal(private_proposal_t *this, protocol_id_t proto, bool create)
|
||||
{
|
||||
protocol_proposal_t *proto_proposal = NULL, *current_proto_proposal;;
|
||||
iterator_t *iterator;
|
||||
|
||||
/* find our protocol in the proposals */
|
||||
iterator = this->protocol_proposals->create_iterator(this->protocol_proposals, TRUE);
|
||||
while (iterator->has_next(iterator))
|
||||
{
|
||||
iterator->current(iterator, (void**)¤t_proto_proposal);
|
||||
if (current_proto_proposal->protocol == proto)
|
||||
{
|
||||
proto_proposal = current_proto_proposal;
|
||||
break;
|
||||
}
|
||||
}
|
||||
iterator->destroy(iterator);
|
||||
|
||||
if (!proto_proposal && create)
|
||||
{
|
||||
/* nope, create a new one */
|
||||
proto_proposal = malloc_thing(protocol_proposal_t);
|
||||
proto_proposal->protocol = proto;
|
||||
proto_proposal->encryption_algos = linked_list_create();
|
||||
proto_proposal->integrity_algos = linked_list_create();
|
||||
proto_proposal->prf_algos = linked_list_create();
|
||||
proto_proposal->dh_groups = linked_list_create();
|
||||
proto_proposal->esns = linked_list_create();
|
||||
if (proto == PROTO_IKE)
|
||||
{
|
||||
proto_proposal->spi.len = 8;
|
||||
}
|
||||
else
|
||||
{
|
||||
proto_proposal->spi.len = 4;
|
||||
}
|
||||
proto_proposal->spi.ptr = malloc(proto_proposal->spi.len);
|
||||
/* add to the list */
|
||||
this->protocol_proposals->insert_last(this->protocol_proposals, (void*)proto_proposal);
|
||||
}
|
||||
return proto_proposal;
|
||||
}
|
||||
|
||||
/**
|
||||
* Add algorithm/keysize to a algorithm list
|
||||
*/
|
||||
|
@ -190,26 +125,24 @@ static void add_algo(linked_list_t *list, u_int8_t algo, size_t key_size)
|
|||
/**
|
||||
* Implements proposal_t.add_algorithm
|
||||
*/
|
||||
static void add_algorithm(private_proposal_t *this, protocol_id_t proto, transform_type_t type, u_int16_t algo, size_t key_size)
|
||||
static void add_algorithm(private_proposal_t *this, transform_type_t type, u_int16_t algo, size_t key_size)
|
||||
{
|
||||
protocol_proposal_t *proto_proposal = get_protocol_proposal(this, proto, TRUE);
|
||||
|
||||
switch (type)
|
||||
{
|
||||
case ENCRYPTION_ALGORITHM:
|
||||
add_algo(proto_proposal->encryption_algos, algo, key_size);
|
||||
add_algo(this->encryption_algos, algo, key_size);
|
||||
break;
|
||||
case INTEGRITY_ALGORITHM:
|
||||
add_algo(proto_proposal->integrity_algos, algo, key_size);
|
||||
add_algo(this->integrity_algos, algo, key_size);
|
||||
break;
|
||||
case PSEUDO_RANDOM_FUNCTION:
|
||||
add_algo(proto_proposal->prf_algos, algo, key_size);
|
||||
add_algo(this->prf_algos, algo, key_size);
|
||||
break;
|
||||
case DIFFIE_HELLMAN_GROUP:
|
||||
add_algo(proto_proposal->dh_groups, algo, 0);
|
||||
add_algo(this->dh_groups, algo, 0);
|
||||
break;
|
||||
case EXTENDED_SEQUENCE_NUMBERS:
|
||||
add_algo(proto_proposal->esns, algo, 0);
|
||||
add_algo(this->esns, algo, 0);
|
||||
break;
|
||||
default:
|
||||
break;
|
||||
|
@ -219,31 +152,25 @@ static void add_algorithm(private_proposal_t *this, protocol_id_t proto, transfo
|
|||
/**
|
||||
* Implements proposal_t.get_algorithm.
|
||||
*/
|
||||
static bool get_algorithm(private_proposal_t *this, protocol_id_t proto, transform_type_t type, algorithm_t** algo)
|
||||
static bool get_algorithm(private_proposal_t *this, transform_type_t type, algorithm_t** algo)
|
||||
{
|
||||
linked_list_t * list;
|
||||
protocol_proposal_t *proto_proposal = get_protocol_proposal(this, proto, FALSE);
|
||||
|
||||
if (proto_proposal == NULL)
|
||||
{
|
||||
return FALSE;
|
||||
}
|
||||
linked_list_t *list;
|
||||
switch (type)
|
||||
{
|
||||
case ENCRYPTION_ALGORITHM:
|
||||
list = proto_proposal->encryption_algos;
|
||||
list = this->encryption_algos;
|
||||
break;
|
||||
case INTEGRITY_ALGORITHM:
|
||||
list = proto_proposal->integrity_algos;
|
||||
list = this->integrity_algos;
|
||||
break;
|
||||
case PSEUDO_RANDOM_FUNCTION:
|
||||
list = proto_proposal->prf_algos;
|
||||
list = this->prf_algos;
|
||||
break;
|
||||
case DIFFIE_HELLMAN_GROUP:
|
||||
list = proto_proposal->dh_groups;
|
||||
list = this->dh_groups;
|
||||
break;
|
||||
case EXTENDED_SEQUENCE_NUMBERS:
|
||||
list = proto_proposal->esns;
|
||||
list = this->esns;
|
||||
break;
|
||||
default:
|
||||
return FALSE;
|
||||
|
@ -258,26 +185,20 @@ static bool get_algorithm(private_proposal_t *this, protocol_id_t proto, transfo
|
|||
/**
|
||||
* Implements proposal_t.create_algorithm_iterator.
|
||||
*/
|
||||
static iterator_t *create_algorithm_iterator(private_proposal_t *this, protocol_id_t proto, transform_type_t type)
|
||||
static iterator_t *create_algorithm_iterator(private_proposal_t *this, transform_type_t type)
|
||||
{
|
||||
protocol_proposal_t *proto_proposal = get_protocol_proposal(this, proto, FALSE);
|
||||
if (proto_proposal == NULL)
|
||||
{
|
||||
return NULL;
|
||||
}
|
||||
|
||||
switch (type)
|
||||
{
|
||||
case ENCRYPTION_ALGORITHM:
|
||||
return proto_proposal->encryption_algos->create_iterator(proto_proposal->encryption_algos, TRUE);
|
||||
return this->encryption_algos->create_iterator(this->encryption_algos, TRUE);
|
||||
case INTEGRITY_ALGORITHM:
|
||||
return proto_proposal->integrity_algos->create_iterator(proto_proposal->integrity_algos, TRUE);
|
||||
return this->integrity_algos->create_iterator(this->integrity_algos, TRUE);
|
||||
case PSEUDO_RANDOM_FUNCTION:
|
||||
return proto_proposal->prf_algos->create_iterator(proto_proposal->prf_algos, TRUE);
|
||||
return this->prf_algos->create_iterator(this->prf_algos, TRUE);
|
||||
case DIFFIE_HELLMAN_GROUP:
|
||||
return proto_proposal->dh_groups->create_iterator(proto_proposal->dh_groups, TRUE);
|
||||
return this->dh_groups->create_iterator(this->dh_groups, TRUE);
|
||||
case EXTENDED_SEQUENCE_NUMBERS:
|
||||
return proto_proposal->esns->create_iterator(proto_proposal->esns, TRUE);
|
||||
return this->esns->create_iterator(this->esns, TRUE);
|
||||
default:
|
||||
break;
|
||||
}
|
||||
|
@ -336,201 +257,112 @@ static proposal_t *select_proposal(private_proposal_t *this, private_proposal_t
|
|||
proposal_t *selected;
|
||||
u_int16_t algo;
|
||||
size_t key_size;
|
||||
iterator_t *iterator;
|
||||
protocol_proposal_t *this_prop, *other_prop;
|
||||
protocol_id_t proto;
|
||||
bool add;
|
||||
u_int64_t spi;
|
||||
|
||||
/* empty proposal? no match */
|
||||
if (this->protocol_proposals->get_count(this->protocol_proposals) == 0 ||
|
||||
other->protocol_proposals->get_count(other->protocol_proposals) == 0)
|
||||
{
|
||||
return NULL;
|
||||
}
|
||||
/* they MUST have the same amount of protocols */
|
||||
if (this->protocol_proposals->get_count(this->protocol_proposals) !=
|
||||
other->protocol_proposals->get_count(other->protocol_proposals))
|
||||
/* check protocol */
|
||||
if (this->protocol != other->protocol)
|
||||
{
|
||||
return NULL;
|
||||
}
|
||||
|
||||
selected = proposal_create(this->number);
|
||||
|
||||
/* iterate over supplied proposals */
|
||||
iterator = other->protocol_proposals->create_iterator(other->protocol_proposals, TRUE);
|
||||
while (iterator->has_next(iterator))
|
||||
{
|
||||
iterator->current(iterator, (void**)&other_prop);
|
||||
/* get the proposal with the same protocol */
|
||||
proto = other_prop->protocol;
|
||||
this_prop = get_protocol_proposal(this, proto, FALSE);
|
||||
|
||||
if (this_prop == NULL)
|
||||
{
|
||||
iterator->destroy(iterator);
|
||||
selected->destroy(selected);
|
||||
return NULL;
|
||||
}
|
||||
selected = proposal_create(this->protocol);
|
||||
|
||||
/* select encryption algorithm */
|
||||
if (select_algo(this_prop->encryption_algos, other_prop->encryption_algos, &add, &algo, &key_size))
|
||||
if (select_algo(this->encryption_algos, other->encryption_algos, &add, &algo, &key_size))
|
||||
{
|
||||
if (add)
|
||||
{
|
||||
selected->add_algorithm(selected, proto, ENCRYPTION_ALGORITHM, algo, key_size);
|
||||
selected->add_algorithm(selected, ENCRYPTION_ALGORITHM, algo, key_size);
|
||||
}
|
||||
}
|
||||
else
|
||||
{
|
||||
iterator->destroy(iterator);
|
||||
selected->destroy(selected);
|
||||
return NULL;
|
||||
}
|
||||
/* select integrity algorithm */
|
||||
if (select_algo(this_prop->integrity_algos, other_prop->integrity_algos, &add, &algo, &key_size))
|
||||
if (select_algo(this->integrity_algos, other->integrity_algos, &add, &algo, &key_size))
|
||||
{
|
||||
if (add)
|
||||
{
|
||||
selected->add_algorithm(selected, proto, INTEGRITY_ALGORITHM, algo, key_size);
|
||||
selected->add_algorithm(selected, INTEGRITY_ALGORITHM, algo, key_size);
|
||||
}
|
||||
}
|
||||
else
|
||||
{
|
||||
iterator->destroy(iterator);
|
||||
selected->destroy(selected);
|
||||
return NULL;
|
||||
}
|
||||
/* select prf algorithm */
|
||||
if (select_algo(this_prop->prf_algos, other_prop->prf_algos, &add, &algo, &key_size))
|
||||
if (select_algo(this->prf_algos, other->prf_algos, &add, &algo, &key_size))
|
||||
{
|
||||
if (add)
|
||||
{
|
||||
selected->add_algorithm(selected, proto, PSEUDO_RANDOM_FUNCTION, algo, key_size);
|
||||
selected->add_algorithm(selected, PSEUDO_RANDOM_FUNCTION, algo, key_size);
|
||||
}
|
||||
}
|
||||
else
|
||||
{
|
||||
iterator->destroy(iterator);
|
||||
selected->destroy(selected);
|
||||
return NULL;
|
||||
}
|
||||
/* select a DH-group */
|
||||
if (select_algo(this_prop->dh_groups, other_prop->dh_groups, &add, &algo, &key_size))
|
||||
if (select_algo(this->dh_groups, other->dh_groups, &add, &algo, &key_size))
|
||||
{
|
||||
if (add)
|
||||
{
|
||||
selected->add_algorithm(selected, proto, DIFFIE_HELLMAN_GROUP, algo, 0);
|
||||
selected->add_algorithm(selected, DIFFIE_HELLMAN_GROUP, algo, 0);
|
||||
}
|
||||
}
|
||||
else
|
||||
{
|
||||
iterator->destroy(iterator);
|
||||
selected->destroy(selected);
|
||||
return NULL;
|
||||
}
|
||||
/* select if we use ESNs */
|
||||
if (select_algo(this_prop->esns, other_prop->esns, &add, &algo, &key_size))
|
||||
if (select_algo(this->esns, other->esns, &add, &algo, &key_size))
|
||||
{
|
||||
if (add)
|
||||
{
|
||||
selected->add_algorithm(selected, proto, EXTENDED_SEQUENCE_NUMBERS, algo, 0);
|
||||
selected->add_algorithm(selected, EXTENDED_SEQUENCE_NUMBERS, algo, 0);
|
||||
}
|
||||
}
|
||||
else
|
||||
{
|
||||
iterator->destroy(iterator);
|
||||
selected->destroy(selected);
|
||||
return NULL;
|
||||
}
|
||||
}
|
||||
iterator->destroy(iterator);
|
||||
|
||||
/* apply spis from "other" */
|
||||
spi = other->public.get_spi(&(other->public), PROTO_AH);
|
||||
if (spi)
|
||||
{
|
||||
selected->set_spi(selected, PROTO_AH, spi);
|
||||
}
|
||||
spi = other->public.get_spi(&(other->public), PROTO_ESP);
|
||||
if (spi)
|
||||
{
|
||||
selected->set_spi(selected, PROTO_ESP, spi);
|
||||
}
|
||||
/* apply SPI from "other" */
|
||||
selected->set_spi(selected, other->spi);
|
||||
|
||||
/* everything matched, return new proposal */
|
||||
return selected;
|
||||
}
|
||||
|
||||
/**
|
||||
* Implements proposal_t.get_number.
|
||||
*/
|
||||
static u_int8_t get_number(private_proposal_t *this)
|
||||
{
|
||||
return this->number;
|
||||
}
|
||||
|
||||
/**
|
||||
* Implements proposal_t.get_protocols.
|
||||
*/
|
||||
static void get_protocols(private_proposal_t *this, protocol_id_t ids[2])
|
||||
static protocol_id_t get_protocol(private_proposal_t *this)
|
||||
{
|
||||
iterator_t *iterator = this->protocol_proposals->create_iterator(this->protocol_proposals, TRUE);
|
||||
u_int i = 0;
|
||||
|
||||
ids[0] = PROTO_NONE;
|
||||
ids[1] = PROTO_NONE;
|
||||
while (iterator->has_next(iterator))
|
||||
{
|
||||
protocol_proposal_t *proto_prop;
|
||||
iterator->current(iterator, (void**)&proto_prop);
|
||||
ids[i++] = proto_prop->protocol;
|
||||
if (i>1)
|
||||
{
|
||||
/* should not happen, but who knows */
|
||||
break;
|
||||
}
|
||||
}
|
||||
iterator->destroy(iterator);
|
||||
return this->protocol;
|
||||
}
|
||||
|
||||
/**
|
||||
* Implements proposal_t.set_spi.
|
||||
*/
|
||||
static void set_spi(private_proposal_t *this, protocol_id_t proto, u_int64_t spi)
|
||||
static void set_spi(private_proposal_t *this, u_int64_t spi)
|
||||
{
|
||||
protocol_proposal_t *proto_proposal = get_protocol_proposal(this, proto, FALSE);
|
||||
if (proto_proposal)
|
||||
{
|
||||
if (proto == PROTO_AH || proto == PROTO_ESP)
|
||||
{
|
||||
*((u_int32_t*)proto_proposal->spi.ptr) = (u_int32_t)spi;
|
||||
}
|
||||
else
|
||||
{
|
||||
*((u_int64_t*)proto_proposal->spi.ptr) = spi;
|
||||
}
|
||||
}
|
||||
this->spi = spi;
|
||||
}
|
||||
|
||||
/**
|
||||
* Implements proposal_t.get_spi.
|
||||
*/
|
||||
static u_int64_t get_spi(private_proposal_t *this, protocol_id_t proto)
|
||||
static u_int64_t get_spi(private_proposal_t *this)
|
||||
{
|
||||
protocol_proposal_t *proto_proposal = get_protocol_proposal(this, proto, FALSE);
|
||||
if (proto_proposal)
|
||||
{
|
||||
if (proto == PROTO_AH || proto == PROTO_ESP)
|
||||
{
|
||||
return (u_int64_t)*((u_int32_t*)proto_proposal->spi.ptr);
|
||||
}
|
||||
else
|
||||
{
|
||||
return *((u_int64_t*)proto_proposal->spi.ptr);
|
||||
}
|
||||
}
|
||||
return 0;
|
||||
return this->spi;
|
||||
}
|
||||
|
||||
/**
|
||||
|
@ -555,24 +387,15 @@ static void clone_algo_list(linked_list_t *list, linked_list_t *clone_list)
|
|||
*/
|
||||
static proposal_t *clone(private_proposal_t *this)
|
||||
{
|
||||
private_proposal_t *clone = (private_proposal_t*)proposal_create(this->number);
|
||||
private_proposal_t *clone = (private_proposal_t*)proposal_create(this->protocol);
|
||||
|
||||
iterator_t *iterator = this->protocol_proposals->create_iterator(this->protocol_proposals, TRUE);
|
||||
while (iterator->has_next(iterator))
|
||||
{
|
||||
protocol_proposal_t *proto_prop, *clone_proto_prop;
|
||||
iterator->current(iterator, (void**)&proto_prop);
|
||||
clone_algo_list(this->encryption_algos, clone->encryption_algos);
|
||||
clone_algo_list(this->integrity_algos, clone->integrity_algos);
|
||||
clone_algo_list(this->prf_algos, clone->prf_algos);
|
||||
clone_algo_list(this->dh_groups, clone->dh_groups);
|
||||
clone_algo_list(this->esns, clone->esns);
|
||||
|
||||
clone_proto_prop = get_protocol_proposal(clone, proto_prop->protocol, TRUE);
|
||||
memcpy(clone_proto_prop->spi.ptr, proto_prop->spi.ptr, clone_proto_prop->spi.len);
|
||||
|
||||
clone_algo_list(proto_prop->encryption_algos, clone_proto_prop->encryption_algos);
|
||||
clone_algo_list(proto_prop->integrity_algos, clone_proto_prop->integrity_algos);
|
||||
clone_algo_list(proto_prop->prf_algos, clone_proto_prop->prf_algos);
|
||||
clone_algo_list(proto_prop->dh_groups, clone_proto_prop->dh_groups);
|
||||
clone_algo_list(proto_prop->esns, clone_proto_prop->esns);
|
||||
}
|
||||
iterator->destroy(iterator);
|
||||
clone->spi = this->spi;
|
||||
|
||||
return &clone->public;
|
||||
}
|
||||
|
@ -597,46 +420,39 @@ static void free_algo_list(linked_list_t *list)
|
|||
*/
|
||||
static void destroy(private_proposal_t *this)
|
||||
{
|
||||
while(this->protocol_proposals->get_count(this->protocol_proposals) > 0)
|
||||
{
|
||||
protocol_proposal_t *proto_prop;
|
||||
this->protocol_proposals->remove_last(this->protocol_proposals, (void**)&proto_prop);
|
||||
|
||||
free_algo_list(proto_prop->encryption_algos);
|
||||
free_algo_list(proto_prop->integrity_algos);
|
||||
free_algo_list(proto_prop->prf_algos);
|
||||
free_algo_list(proto_prop->dh_groups);
|
||||
free_algo_list(proto_prop->esns);
|
||||
|
||||
free(proto_prop->spi.ptr);
|
||||
free(proto_prop);
|
||||
}
|
||||
this->protocol_proposals->destroy(this->protocol_proposals);
|
||||
|
||||
free_algo_list(this->encryption_algos);
|
||||
free_algo_list(this->integrity_algos);
|
||||
free_algo_list(this->prf_algos);
|
||||
free_algo_list(this->dh_groups);
|
||||
free_algo_list(this->esns);
|
||||
free(this);
|
||||
}
|
||||
|
||||
/*
|
||||
* Describtion in header-file
|
||||
*/
|
||||
proposal_t *proposal_create(u_int8_t number)
|
||||
proposal_t *proposal_create(protocol_id_t protocol)
|
||||
{
|
||||
private_proposal_t *this = malloc_thing(private_proposal_t);
|
||||
|
||||
this->public.add_algorithm = (void (*)(proposal_t*,protocol_id_t,transform_type_t,u_int16_t,size_t))add_algorithm;
|
||||
this->public.create_algorithm_iterator = (iterator_t* (*)(proposal_t*,protocol_id_t,transform_type_t))create_algorithm_iterator;
|
||||
this->public.get_algorithm = (bool (*)(proposal_t*,protocol_id_t,transform_type_t,algorithm_t**))get_algorithm;
|
||||
this->public.add_algorithm = (void (*)(proposal_t*,transform_type_t,u_int16_t,size_t))add_algorithm;
|
||||
this->public.create_algorithm_iterator = (iterator_t* (*)(proposal_t*,transform_type_t))create_algorithm_iterator;
|
||||
this->public.get_algorithm = (bool (*)(proposal_t*,transform_type_t,algorithm_t**))get_algorithm;
|
||||
this->public.select = (proposal_t* (*)(proposal_t*,proposal_t*))select_proposal;
|
||||
this->public.get_number = (u_int8_t (*)(proposal_t*))get_number;
|
||||
this->public.get_protocols = (void(*)(proposal_t *this, protocol_id_t ids[2]))get_protocols;
|
||||
this->public.set_spi = (void(*)(proposal_t*,protocol_id_t,u_int64_t spi))set_spi;
|
||||
this->public.get_spi = (u_int64_t(*)(proposal_t*,protocol_id_t))get_spi;
|
||||
this->public.get_protocol = (protocol_id_t(*)(proposal_t*))get_protocol;
|
||||
this->public.set_spi = (void(*)(proposal_t*,u_int64_t))set_spi;
|
||||
this->public.get_spi = (u_int64_t(*)(proposal_t*))get_spi;
|
||||
this->public.clone = (proposal_t*(*)(proposal_t*))clone;
|
||||
this->public.destroy = (void(*)(proposal_t*))destroy;
|
||||
|
||||
/* init private members*/
|
||||
this->number = number;
|
||||
this->protocol_proposals = linked_list_create();
|
||||
this->spi = 0;
|
||||
this->protocol = protocol;
|
||||
|
||||
return (&this->public);
|
||||
this->encryption_algos = linked_list_create();
|
||||
this->integrity_algos = linked_list_create();
|
||||
this->prf_algos = linked_list_create();
|
||||
this->dh_groups = linked_list_create();
|
||||
this->esns = linked_list_create();
|
||||
|
||||
return &this->public;
|
||||
}
|
||||
|
|
|
@ -123,13 +123,9 @@ typedef struct proposal_t proposal_t;
|
|||
* @brief Stores a set of algorithms used for an SA.
|
||||
*
|
||||
* A proposal stores algorithms for a specific
|
||||
* protocol. It can store algorithms for more than
|
||||
* one protocol (e.g. AH and ESP). Then the proposal
|
||||
* means both protocols must be used.
|
||||
* A proposal may contain more than one algorithm
|
||||
* of the same kind. ONE of them can be selected.
|
||||
*
|
||||
* @warning This class is NOT thread-save!
|
||||
* protocol. It can store algorithms for one protocol.
|
||||
* Proposals with multiple protocols are not supported,
|
||||
* as it's not specified in RFC4301 anymore.
|
||||
*
|
||||
* @b Constructors:
|
||||
* - proposal_create()
|
||||
|
@ -150,25 +146,21 @@ struct proposal_t {
|
|||
* integrity_algorithm_t, dh_group_number_t and
|
||||
* extended_sequence_numbers_t.
|
||||
*
|
||||
* @warning Do not add while other threads are reading.
|
||||
*
|
||||
* @param this calling object
|
||||
* @param proto desired protocol
|
||||
* @param type kind of algorithm
|
||||
* @param alg identifier for algorithm
|
||||
* @param key_size key size to use
|
||||
*/
|
||||
void (*add_algorithm) (proposal_t *this, protocol_id_t proto, transform_type_t type, u_int16_t alg, size_t key_size);
|
||||
void (*add_algorithm) (proposal_t *this, transform_type_t type, u_int16_t alg, size_t key_size);
|
||||
|
||||
/**
|
||||
* @brief Get an iterator over algorithms for a specifc protocol/algo type.
|
||||
* @brief Get an iterator over algorithms for a specifc algo type.
|
||||
*
|
||||
* @param this calling object
|
||||
* @param proto desired protocol
|
||||
* @param type kind of algorithm
|
||||
* @return iterator over algorithms
|
||||
* @return iterator over algorithm_t's
|
||||
*/
|
||||
iterator_t *(*create_algorithm_iterator) (proposal_t *this, protocol_id_t proto, transform_type_t type);
|
||||
iterator_t *(*create_algorithm_iterator) (proposal_t *this, transform_type_t type);
|
||||
|
||||
/**
|
||||
* @brief Get the algorithm for a type to use.
|
||||
|
@ -177,12 +169,11 @@ struct proposal_t {
|
|||
* Result is still owned by proposal, do not modify!
|
||||
*
|
||||
* @param this calling object
|
||||
* @param proto desired protocol
|
||||
* @param type kind of algorithm
|
||||
* @param[out] algo pointer which receives algorithm and key size
|
||||
* @return TRUE if algorithm of this kind available
|
||||
*/
|
||||
bool (*get_algorithm) (proposal_t *this, protocol_id_t proto, transform_type_t type, algorithm_t** algo);
|
||||
bool (*get_algorithm) (proposal_t *this, transform_type_t type, algorithm_t** algo);
|
||||
|
||||
/**
|
||||
* @brief Compare two proposal, and select a matching subset.
|
||||
|
@ -200,41 +191,28 @@ struct proposal_t {
|
|||
proposal_t *(*select) (proposal_t *this, proposal_t *other);
|
||||
|
||||
/**
|
||||
* @brief Get the number set on construction.
|
||||
* @brief Get the protocol ID of the proposal.
|
||||
*
|
||||
* @param this calling object
|
||||
* @return number
|
||||
* @return protocol of the proposal
|
||||
*/
|
||||
u_int8_t (*get_number) (proposal_t *this);
|
||||
protocol_id_t (*get_protocol) (proposal_t *this);
|
||||
|
||||
/**
|
||||
* @brief Get the protocol ids in the proposals.
|
||||
*
|
||||
* With AH and ESP, there could be two protocols in one
|
||||
* proposal.
|
||||
* @brief Get the SPI of the proposal.
|
||||
*
|
||||
* @param this calling object
|
||||
* @param ids array of protocol ids,
|
||||
*/
|
||||
void (*get_protocols) (proposal_t *this, protocol_id_t ids[2]);
|
||||
|
||||
/**
|
||||
* @brief Get the spi for a specific protocol.
|
||||
*
|
||||
* @param this calling object
|
||||
* @param proto AH/ESP
|
||||
* @return spi for proto
|
||||
*/
|
||||
u_int64_t (*get_spi) (proposal_t *this, protocol_id_t proto);
|
||||
u_int64_t (*get_spi) (proposal_t *this);
|
||||
|
||||
/**
|
||||
* @brief Set the spi for a specific protocol.
|
||||
* @brief Set the SPI of the proposal.
|
||||
*
|
||||
* @param this calling object
|
||||
* @param proto AH/ESP
|
||||
* @param spi spi to set for proto
|
||||
*/
|
||||
void (*set_spi) (proposal_t *this, protocol_id_t proto, u_int64_t spi);
|
||||
void (*set_spi) (proposal_t *this, u_int64_t spi);
|
||||
|
||||
/**
|
||||
* @brief Clone a proposal.
|
||||
|
@ -253,17 +231,13 @@ struct proposal_t {
|
|||
};
|
||||
|
||||
/**
|
||||
* @brief Create a child proposal for AH and/or ESP.
|
||||
* @brief Create a child proposal for AH, ESP or IKE.
|
||||
*
|
||||
* Since the order of multiple proposals is important for
|
||||
* key derivation, we must assign them numbers as they
|
||||
* appear in the raw payload. Numbering starts at 1.
|
||||
*
|
||||
* @param number number of the proposal, as in the payload
|
||||
* @param protocol protocol, such as PROTO_ESP
|
||||
* @return proposal_t object
|
||||
*
|
||||
* @ingroup config
|
||||
*/
|
||||
proposal_t *proposal_create(u_int8_t number);
|
||||
proposal_t *proposal_create(protocol_id_t protocol);
|
||||
|
||||
#endif /* PROPOSAL_H_ */
|
||||
|
|
|
@ -187,7 +187,7 @@ static payload_rule_t informational_r_payload_rules[] = {
|
|||
/**
|
||||
* Message rule for CREATE_CHILD_SA from initiator.
|
||||
*/
|
||||
static payload_rule_t create_child_sa_r_payload_rules[] = {
|
||||
static payload_rule_t create_child_sa_i_payload_rules[] = {
|
||||
{NOTIFY,0,MAX_NOTIFY_PAYLOADS,TRUE,FALSE},
|
||||
{SECURITY_ASSOCIATION,1,1,TRUE,FALSE},
|
||||
{NONCE,1,1,TRUE,FALSE},
|
||||
|
@ -200,7 +200,7 @@ static payload_rule_t create_child_sa_r_payload_rules[] = {
|
|||
/**
|
||||
* Message rule for CREATE_CHILD_SA from responder.
|
||||
*/
|
||||
static payload_rule_t create_child_sa_i_payload_rules[] = {
|
||||
static payload_rule_t create_child_sa_r_payload_rules[] = {
|
||||
{NOTIFY,0,MAX_NOTIFY_PAYLOADS,TRUE,FALSE},
|
||||
{SECURITY_ASSOCIATION,1,1,TRUE,FALSE},
|
||||
{NONCE,1,1,TRUE,FALSE},
|
||||
|
@ -220,7 +220,9 @@ static message_rule_t message_rules[] = {
|
|||
{IKE_AUTH,TRUE,TRUE,(sizeof(ike_auth_i_payload_rules)/sizeof(payload_rule_t)),ike_auth_i_payload_rules},
|
||||
{IKE_AUTH,FALSE,TRUE,(sizeof(ike_auth_r_payload_rules)/sizeof(payload_rule_t)),ike_auth_r_payload_rules},
|
||||
{INFORMATIONAL,TRUE,TRUE,(sizeof(informational_i_payload_rules)/sizeof(payload_rule_t)),informational_i_payload_rules},
|
||||
{INFORMATIONAL,FALSE,TRUE,(sizeof(informational_r_payload_rules)/sizeof(payload_rule_t)),informational_r_payload_rules}
|
||||
{INFORMATIONAL,FALSE,TRUE,(sizeof(informational_r_payload_rules)/sizeof(payload_rule_t)),informational_r_payload_rules},
|
||||
{CREATE_CHILD_SA,TRUE,TRUE,(sizeof(create_child_sa_i_payload_rules)/sizeof(payload_rule_t)),create_child_sa_i_payload_rules},
|
||||
{CREATE_CHILD_SA,FALSE,TRUE,(sizeof(create_child_sa_r_payload_rules)/sizeof(payload_rule_t)),create_child_sa_r_payload_rules},
|
||||
};
|
||||
|
||||
|
||||
|
|
|
@ -173,9 +173,22 @@ encoding_rule_t notify_payload_encodings[] = {
|
|||
*/
|
||||
static status_t verify(private_notify_payload_t *this)
|
||||
{
|
||||
if (this->protocol_id > 3)
|
||||
switch (this->protocol_id)
|
||||
{
|
||||
/* reserved for future use */
|
||||
case PROTO_IKE:
|
||||
if (this->spi.len != 8)
|
||||
{
|
||||
return FAILED;
|
||||
}
|
||||
break;
|
||||
case PROTO_AH:
|
||||
case PROTO_ESP:
|
||||
if (this->spi.len != 4)
|
||||
{
|
||||
return FAILED;
|
||||
}
|
||||
break;
|
||||
default:
|
||||
return FAILED;
|
||||
}
|
||||
|
||||
|
@ -265,9 +278,7 @@ static void compute_length (private_notify_payload_t *this)
|
|||
{
|
||||
length += this->spi.len;
|
||||
}
|
||||
|
||||
this->payload_length = length;
|
||||
|
||||
}
|
||||
|
||||
/**
|
||||
|
@ -289,7 +300,7 @@ static void set_protocol_id(private_notify_payload_t *this, u_int8_t protocol_id
|
|||
/**
|
||||
* Implementation of notify_payload_t.get_notify_message_type.
|
||||
*/
|
||||
static u_int16_t get_notify_message_type(private_notify_payload_t *this)
|
||||
static notify_message_type_t get_notify_message_type(private_notify_payload_t *this)
|
||||
{
|
||||
return this->notify_message_type;
|
||||
}
|
||||
|
@ -305,32 +316,42 @@ static void set_notify_message_type(private_notify_payload_t *this, u_int16_t no
|
|||
/**
|
||||
* Implementation of notify_payload_t.get_spi.
|
||||
*/
|
||||
static chunk_t get_spi(private_notify_payload_t *this)
|
||||
static u_int64_t get_spi(private_notify_payload_t *this)
|
||||
{
|
||||
return (this->spi);
|
||||
switch (this->protocol_id)
|
||||
{
|
||||
case PROTO_IKE:
|
||||
return *((u_int64_t*)this->spi.ptr);
|
||||
case PROTO_AH:
|
||||
case PROTO_ESP:
|
||||
return *((u_int32_t*)this->spi.ptr);
|
||||
default:
|
||||
return 0;
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Implementation of notify_payload_t.set_spi.
|
||||
*/
|
||||
static void set_spi(private_notify_payload_t *this, chunk_t spi)
|
||||
static void set_spi(private_notify_payload_t *this, u_int64_t spi)
|
||||
{
|
||||
/* destroy existing data first */
|
||||
if (this->spi.ptr != NULL)
|
||||
chunk_free(&this->spi);
|
||||
switch (this->protocol_id)
|
||||
{
|
||||
/* free existing value */
|
||||
free(this->spi.ptr);
|
||||
this->spi.ptr = NULL;
|
||||
this->spi.len = 0;
|
||||
|
||||
case PROTO_IKE:
|
||||
this->spi = chunk_alloc(8);
|
||||
*((u_int64_t*)this->spi.ptr) = spi;
|
||||
break;
|
||||
case PROTO_AH:
|
||||
case PROTO_ESP:
|
||||
this->spi = chunk_alloc(4);
|
||||
*((u_int32_t*)this->spi.ptr) = spi;
|
||||
break;
|
||||
default:
|
||||
break;
|
||||
}
|
||||
|
||||
this->spi.ptr = clalloc(spi.ptr,spi.len);
|
||||
|
||||
this->spi.len = spi.len;
|
||||
this->spi_size = spi.len;
|
||||
this->spi_size = this->spi.len;
|
||||
this->compute_length(this);
|
||||
|
||||
}
|
||||
|
||||
/**
|
||||
|
@ -376,7 +397,6 @@ static status_t destroy(private_notify_payload_t *this)
|
|||
{
|
||||
free(this->spi.ptr);
|
||||
}
|
||||
|
||||
free(this);
|
||||
return SUCCESS;
|
||||
}
|
||||
|
@ -400,10 +420,10 @@ notify_payload_t *notify_payload_create()
|
|||
/* public functions */
|
||||
this->public.get_protocol_id = (u_int8_t (*) (notify_payload_t *)) get_protocol_id;
|
||||
this->public.set_protocol_id = (void (*) (notify_payload_t *,u_int8_t)) set_protocol_id;
|
||||
this->public.get_notify_message_type = (u_int16_t (*) (notify_payload_t *)) get_notify_message_type;
|
||||
this->public.set_notify_message_type = (void (*) (notify_payload_t *,u_int16_t)) set_notify_message_type;
|
||||
this->public.get_spi = (chunk_t (*) (notify_payload_t *)) get_spi;
|
||||
this->public.set_spi = (void (*) (notify_payload_t *,chunk_t)) set_spi;
|
||||
this->public.get_notify_message_type = (notify_message_type_t (*) (notify_payload_t *)) get_notify_message_type;
|
||||
this->public.set_notify_message_type = (void (*) (notify_payload_t *,notify_message_type_t)) set_notify_message_type;
|
||||
this->public.get_spi = (u_int64_t (*) (notify_payload_t *)) get_spi;
|
||||
this->public.set_spi = (void (*) (notify_payload_t *,u_int64_t)) set_spi;
|
||||
this->public.get_notification_data = (chunk_t (*) (notify_payload_t *)) get_notification_data;
|
||||
this->public.set_notification_data = (void (*) (notify_payload_t *,chunk_t)) set_notification_data;
|
||||
this->public.destroy = (void (*) (notify_payload_t *)) destroy;
|
||||
|
|
|
@ -64,7 +64,8 @@ enum notify_message_type_t {
|
|||
INVALID_SELECTORS = 39,
|
||||
|
||||
INITIAL_CONTACT = 16384,
|
||||
SET_WINDOW_SIZE = 16385
|
||||
SET_WINDOW_SIZE = 16385,
|
||||
REKEY_SA = 16393,
|
||||
};
|
||||
|
||||
/**
|
||||
|
@ -118,35 +119,31 @@ struct notify_payload_t {
|
|||
* @param this calling notify_payload_t object
|
||||
* @return notify message type of this payload
|
||||
*/
|
||||
u_int16_t (*get_notify_message_type) (notify_payload_t *this);
|
||||
notify_message_type_t (*get_notify_message_type) (notify_payload_t *this);
|
||||
|
||||
/**
|
||||
* @brief Sets notify message type of this payload.
|
||||
*
|
||||
* @param this calling notify_payload_t object
|
||||
* @param notify_message_type notify message type to set
|
||||
* @param type notify message type to set
|
||||
*/
|
||||
void (*set_notify_message_type) (notify_payload_t *this, u_int16_t notify_message_type);
|
||||
void (*set_notify_message_type) (notify_payload_t *this, notify_message_type_t type);
|
||||
|
||||
/**
|
||||
* @brief Returns the currently set spi of this payload.
|
||||
*
|
||||
* @warning Returned data are not copied.
|
||||
*
|
||||
* @param this calling notify_payload_t object
|
||||
* @return chunk_t pointing to the value
|
||||
* @return SPI value
|
||||
*/
|
||||
chunk_t (*get_spi) (notify_payload_t *this);
|
||||
u_int64_t (*get_spi) (notify_payload_t *this);
|
||||
|
||||
/**
|
||||
* @brief Sets the spi of this payload.
|
||||
*
|
||||
* @warning Value is getting copied.
|
||||
*
|
||||
* @param this calling notify_payload_t object
|
||||
* @param spi chunk_t pointing to the value to set
|
||||
* @param spi SPI value
|
||||
*/
|
||||
void (*set_spi) (notify_payload_t *this, chunk_t spi);
|
||||
void (*set_spi) (notify_payload_t *this, u_int64_t spi);
|
||||
|
||||
/**
|
||||
* @brief Returns the currently set notification data of payload.
|
||||
|
|
|
@ -404,14 +404,17 @@ static size_t get_spi_size (private_proposal_substructure_t *this)
|
|||
}
|
||||
|
||||
/**
|
||||
* Implementation of proposal_substructure_t.add_to_proposal.
|
||||
* Implementation of proposal_substructure_t.get_proposal.
|
||||
*/
|
||||
void add_to_proposal(private_proposal_substructure_t *this, proposal_t *proposal)
|
||||
proposal_t* get_proposal(private_proposal_substructure_t *this)
|
||||
{
|
||||
iterator_t *iterator = this->transforms->create_iterator(this->transforms, TRUE);
|
||||
u_int32_t spi;
|
||||
iterator_t *iterator;
|
||||
proposal_t *proposal;
|
||||
u_int64_t spi;
|
||||
|
||||
proposal = proposal_create(this->protocol_id);
|
||||
|
||||
iterator = this->transforms->create_iterator(this->transforms, TRUE);
|
||||
while (iterator->has_next(iterator))
|
||||
{
|
||||
transform_substructure_t *transform;
|
||||
|
@ -425,13 +428,24 @@ void add_to_proposal(private_proposal_substructure_t *this, proposal_t *proposal
|
|||
transform_id = transform->get_transform_id(transform);
|
||||
transform->get_key_length(transform, &key_length);
|
||||
|
||||
proposal->add_algorithm(proposal, this->protocol_id, transform_type, transform_id, key_length);
|
||||
proposal->add_algorithm(proposal, transform_type, transform_id, key_length);
|
||||
}
|
||||
iterator->destroy(iterator);
|
||||
|
||||
switch (this->spi.len)
|
||||
{
|
||||
case 4:
|
||||
spi = *((u_int32_t*)this->spi.ptr);
|
||||
break;
|
||||
case 8:
|
||||
spi = *((u_int64_t*)this->spi.ptr);
|
||||
break;
|
||||
default:
|
||||
spi = 0;
|
||||
}
|
||||
proposal->set_spi(proposal, spi);
|
||||
|
||||
proposal->set_spi(proposal, this->protocol_id, spi);
|
||||
return proposal;
|
||||
}
|
||||
|
||||
/**
|
||||
|
@ -527,7 +541,7 @@ proposal_substructure_t *proposal_substructure_create()
|
|||
this->public.get_protocol_id = (u_int8_t (*) (proposal_substructure_t *)) get_protocol_id;
|
||||
this->public.get_info_for_transform_type = (status_t (*) (proposal_substructure_t *,transform_type_t,u_int16_t *, u_int16_t *))get_info_for_transform_type;
|
||||
this->public.set_is_last_proposal = (void (*) (proposal_substructure_t *,bool)) set_is_last_proposal;
|
||||
this->public.add_to_proposal = (void (*) (proposal_substructure_t*,proposal_t*))add_to_proposal;
|
||||
this->public.get_proposal = (proposal_t* (*) (proposal_substructure_t*))get_proposal;
|
||||
this->public.set_spi = (void (*) (proposal_substructure_t *,chunk_t))set_spi;
|
||||
this->public.get_spi = (chunk_t (*) (proposal_substructure_t *)) get_spi;
|
||||
this->public.get_transform_count = (size_t (*) (proposal_substructure_t *)) get_transform_count;
|
||||
|
@ -556,7 +570,7 @@ proposal_substructure_t *proposal_substructure_create()
|
|||
/*
|
||||
* Described in header.
|
||||
*/
|
||||
proposal_substructure_t *proposal_substructure_create_from_proposal(proposal_t *proposal, protocol_id_t proto)
|
||||
proposal_substructure_t *proposal_substructure_create_from_proposal(proposal_t *proposal)
|
||||
{
|
||||
private_proposal_substructure_t *this = (private_proposal_substructure_t*)proposal_substructure_create();
|
||||
iterator_t *iterator;
|
||||
|
@ -564,7 +578,7 @@ proposal_substructure_t *proposal_substructure_create_from_proposal(proposal_t *
|
|||
transform_substructure_t *transform;
|
||||
|
||||
/* encryption algorithm is only availble in ESP */
|
||||
iterator = proposal->create_algorithm_iterator(proposal, proto, ENCRYPTION_ALGORITHM);
|
||||
iterator = proposal->create_algorithm_iterator(proposal, ENCRYPTION_ALGORITHM);
|
||||
while (iterator->has_next(iterator))
|
||||
{
|
||||
iterator->current(iterator, (void**)&algo);
|
||||
|
@ -574,7 +588,7 @@ proposal_substructure_t *proposal_substructure_create_from_proposal(proposal_t *
|
|||
iterator->destroy(iterator);
|
||||
|
||||
/* integrity algorithms */
|
||||
iterator = proposal->create_algorithm_iterator(proposal, proto, INTEGRITY_ALGORITHM);
|
||||
iterator = proposal->create_algorithm_iterator(proposal, INTEGRITY_ALGORITHM);
|
||||
while (iterator->has_next(iterator))
|
||||
{
|
||||
algorithm_t *algo;
|
||||
|
@ -585,7 +599,7 @@ proposal_substructure_t *proposal_substructure_create_from_proposal(proposal_t *
|
|||
iterator->destroy(iterator);
|
||||
|
||||
/* prf algorithms */
|
||||
iterator = proposal->create_algorithm_iterator(proposal, proto, PSEUDO_RANDOM_FUNCTION);
|
||||
iterator = proposal->create_algorithm_iterator(proposal, PSEUDO_RANDOM_FUNCTION);
|
||||
while (iterator->has_next(iterator))
|
||||
{
|
||||
algorithm_t *algo;
|
||||
|
@ -596,7 +610,7 @@ proposal_substructure_t *proposal_substructure_create_from_proposal(proposal_t *
|
|||
iterator->destroy(iterator);
|
||||
|
||||
/* dh groups */
|
||||
iterator = proposal->create_algorithm_iterator(proposal, proto, DIFFIE_HELLMAN_GROUP);
|
||||
iterator = proposal->create_algorithm_iterator(proposal, DIFFIE_HELLMAN_GROUP);
|
||||
while (iterator->has_next(iterator))
|
||||
{
|
||||
algorithm_t *algo;
|
||||
|
@ -607,7 +621,7 @@ proposal_substructure_t *proposal_substructure_create_from_proposal(proposal_t *
|
|||
iterator->destroy(iterator);
|
||||
|
||||
/* extended sequence numbers */
|
||||
iterator = proposal->create_algorithm_iterator(proposal, proto, EXTENDED_SEQUENCE_NUMBERS);
|
||||
iterator = proposal->create_algorithm_iterator(proposal, EXTENDED_SEQUENCE_NUMBERS);
|
||||
while (iterator->has_next(iterator))
|
||||
{
|
||||
algorithm_t *algo;
|
||||
|
@ -618,12 +632,19 @@ proposal_substructure_t *proposal_substructure_create_from_proposal(proposal_t *
|
|||
iterator->destroy(iterator);
|
||||
|
||||
/* take over general infos */
|
||||
this->spi_size = proto == PROTO_IKE ? 8 : 4;
|
||||
this->spi_size = proposal->get_protocol(proposal) == PROTO_IKE ? 8 : 4;
|
||||
this->spi.len = this->spi_size;
|
||||
this->spi.ptr = malloc(this->spi_size);
|
||||
*((u_int32_t*)this->spi.ptr) = proposal->get_spi(proposal, proto);
|
||||
this->proposal_number = proposal->get_number(proposal);
|
||||
this->protocol_id = proto;
|
||||
if (this->spi_size == 8)
|
||||
{
|
||||
*((u_int64_t*)this->spi.ptr) = proposal->get_spi(proposal);
|
||||
}
|
||||
else
|
||||
{
|
||||
*((u_int32_t*)this->spi.ptr) = proposal->get_spi(proposal);
|
||||
}
|
||||
this->proposal_number = 0;
|
||||
this->protocol_id = proposal->get_protocol(proposal);
|
||||
|
||||
return &(this->public);
|
||||
}
|
||||
|
|
|
@ -174,16 +174,12 @@ struct proposal_substructure_t {
|
|||
void (*set_spi) (proposal_substructure_t *this, chunk_t spi);
|
||||
|
||||
/**
|
||||
* @brief Add this proposal_substructure to a proposal.
|
||||
*
|
||||
* Since a proposal_t may contain the data of multiple
|
||||
* proposal_sbustructure_t's, it may be necessary to call
|
||||
* the function multiple times with the same proposal.
|
||||
* @brief Get a proposal_t from the propsal_substructure_t.
|
||||
*
|
||||
* @param this calling proposal_substructure_t object
|
||||
* @param proposal proposal where the data should be added
|
||||
* @return proposal_t
|
||||
*/
|
||||
void (*add_to_proposal) (proposal_substructure_t *this, proposal_t *proposal);
|
||||
proposal_t * (*get_proposal) (proposal_substructure_t *this);
|
||||
|
||||
/**
|
||||
* @brief Clones an proposal_substructure_t object.
|
||||
|
@ -211,21 +207,14 @@ struct proposal_substructure_t {
|
|||
proposal_substructure_t *proposal_substructure_create(void);
|
||||
|
||||
/**
|
||||
* @brief Creates a proposal substructure from a proposal.
|
||||
*
|
||||
* Since a child proposal may contain data for both AH and ESP,
|
||||
* the protocol must be specified. If the proposal does not contain
|
||||
* data for proto, NULL is returned. Call twice, once with AH, once
|
||||
* with ESP, with the same proposal to build the two substructures
|
||||
* for it.
|
||||
* @brief Creates a proposal_substructure_t from a proposal_t.
|
||||
*
|
||||
* @param proposal proposal to build a substruct out of it
|
||||
* @param proto for which protocol the substructure should be built
|
||||
* @return proposal_substructure_t object, or NULL
|
||||
* @return proposal_substructure_t object
|
||||
*
|
||||
* @ingroup payloads
|
||||
*/
|
||||
proposal_substructure_t *proposal_substructure_create_from_proposal(proposal_t *proposal, protocol_id_t proto);
|
||||
proposal_substructure_t *proposal_substructure_create_from_proposal(proposal_t *proposal);
|
||||
|
||||
|
||||
#endif /*PROPOSAL_SUBSTRUCTURE_H_*/
|
||||
|
|
|
@ -232,18 +232,20 @@ static iterator_t *create_proposal_substructure_iterator (private_sa_payload_t *
|
|||
/**
|
||||
* Implementation of sa_payload_t.add_proposal_substructure.
|
||||
*/
|
||||
static void add_proposal_substructure (private_sa_payload_t *this,proposal_substructure_t *proposal)
|
||||
static void add_proposal_substructure(private_sa_payload_t *this,proposal_substructure_t *proposal)
|
||||
{
|
||||
status_t status;
|
||||
if (this->proposals->get_count(this->proposals) > 0)
|
||||
u_int proposal_count = this->proposals->get_count(this->proposals);
|
||||
|
||||
if (proposal_count > 0)
|
||||
{
|
||||
proposal_substructure_t *last_proposal;
|
||||
status = this->proposals->get_last(this->proposals,(void **) &last_proposal);
|
||||
/* last transform is now not anymore last one */
|
||||
last_proposal->set_is_last_proposal(last_proposal,FALSE);
|
||||
last_proposal->set_is_last_proposal(last_proposal, FALSE);
|
||||
}
|
||||
proposal->set_is_last_proposal(proposal,TRUE);
|
||||
|
||||
proposal->set_is_last_proposal(proposal, TRUE);
|
||||
proposal->set_proposal_number(proposal, proposal_count + 1);
|
||||
this->proposals->insert_last(this->proposals,(void *) proposal);
|
||||
this->compute_length(this);
|
||||
}
|
||||
|
@ -254,19 +256,9 @@ static void add_proposal_substructure (private_sa_payload_t *this,proposal_subst
|
|||
static void add_proposal(private_sa_payload_t *this, proposal_t *proposal)
|
||||
{
|
||||
proposal_substructure_t *substructure;
|
||||
protocol_id_t proto[2];
|
||||
u_int i;
|
||||
|
||||
/* build the substructures for every protocol */
|
||||
proposal->get_protocols(proposal, proto);
|
||||
for (i = 0; i<2; i++)
|
||||
{
|
||||
if (proto[i] != PROTO_NONE)
|
||||
{
|
||||
substructure = proposal_substructure_create_from_proposal(proposal, proto[i]);
|
||||
substructure = proposal_substructure_create_from_proposal(proposal);
|
||||
add_proposal_substructure(this, substructure);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
|
@ -274,30 +266,44 @@ static void add_proposal(private_sa_payload_t *this, proposal_t *proposal)
|
|||
*/
|
||||
static linked_list_t *get_proposals(private_sa_payload_t *this)
|
||||
{
|
||||
int proposal_struct_number = 0;
|
||||
int struct_number = 0;
|
||||
int ignore_struct_number = 0;
|
||||
iterator_t *iterator;
|
||||
proposal_t *proposal;
|
||||
linked_list_t *proposal_list;
|
||||
|
||||
/* this list will hold our proposals */
|
||||
proposal_list = linked_list_create();
|
||||
|
||||
/* iterate over structures, one OR MORE structures will result in a proposal */
|
||||
iterator = this->proposals->create_iterator(this->proposals,TRUE);
|
||||
/* we do not support proposals split up to two proposal substructures, as
|
||||
* AH+ESP bundles are not supported in RFC4301 anymore.
|
||||
* To handle such structures safely, we just skip proposals with multiple
|
||||
* protocols.
|
||||
*/
|
||||
iterator = this->proposals->create_iterator(this->proposals, TRUE);
|
||||
while (iterator->has_next(iterator))
|
||||
{
|
||||
proposal_t *proposal;
|
||||
proposal_substructure_t *proposal_struct;
|
||||
iterator->current(iterator,(void **)&(proposal_struct));
|
||||
|
||||
if (proposal_struct->get_proposal_number(proposal_struct) > proposal_struct_number)
|
||||
iterator->current(iterator, (void **)&proposal_struct);
|
||||
/* check if a proposal has a single protocol */
|
||||
if (proposal_struct->get_proposal_number(proposal_struct) == struct_number)
|
||||
{
|
||||
if (ignore_struct_number < struct_number)
|
||||
{
|
||||
/* remova an already added, if first of series */
|
||||
proposal_list->remove_last(proposal_list, (void**)proposal);
|
||||
proposal->destroy(proposal);
|
||||
ignore_struct_number = struct_number;
|
||||
}
|
||||
continue;
|
||||
}
|
||||
struct_number++;
|
||||
proposal = proposal_struct->get_proposal(proposal_struct);
|
||||
if (proposal)
|
||||
{
|
||||
/* here starts a new proposal, create a new one and add it to the list */
|
||||
proposal_struct_number = proposal_struct->get_proposal_number(proposal_struct);
|
||||
proposal = proposal_create(proposal_struct_number);
|
||||
proposal_list->insert_last(proposal_list, proposal);
|
||||
}
|
||||
/* proposal_substructure_t does the dirty work and builds up the proposal */
|
||||
proposal_struct->add_to_proposal(proposal_struct, proposal);
|
||||
}
|
||||
iterator->destroy(iterator);
|
||||
return proposal_list;
|
||||
|
@ -354,7 +360,7 @@ sa_payload_t *sa_payload_create()
|
|||
this->payload_length = SA_PAYLOAD_HEADER_LENGTH;
|
||||
|
||||
this->proposals = linked_list_create();
|
||||
return (&(this->public));
|
||||
return &this->public;
|
||||
}
|
||||
|
||||
/*
|
||||
|
|
|
@ -71,9 +71,9 @@ static status_t execute(private_rekey_child_sa_job_t *this)
|
|||
return DESTROY_ME;
|
||||
}
|
||||
|
||||
/* TODO */
|
||||
ike_sa->rekey_child_sa(ike_sa, this->reqid);
|
||||
|
||||
status = charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa);
|
||||
charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa);
|
||||
return DESTROY_ME;
|
||||
}
|
||||
|
||||
|
|
|
@ -51,9 +51,12 @@ struct rekey_child_sa_job_t {
|
|||
* @brief Creates a job of type REKEY_CHILD_SA.
|
||||
*
|
||||
* To find the targeted CHILD_SA, the uniqe reqid used in
|
||||
* the kernel is used.
|
||||
* the kernel is used. As a CHILD_SA may contain multiple SAs
|
||||
* (AH and/or ESP), we must provide an additional spi to
|
||||
* know which IPsec SA to rekey.
|
||||
*
|
||||
* @param reqid reqid CHILD_SA to rekey
|
||||
* @param spi security parameter index of the SA to rekey
|
||||
* @return rekey_child_sa_job_t object
|
||||
*
|
||||
* @ingroup jobs
|
||||
|
|
|
@ -36,25 +36,12 @@ typedef struct sa_policy_t sa_policy_t;
|
|||
*/
|
||||
struct sa_policy_t {
|
||||
|
||||
/**
|
||||
* Network on local side
|
||||
*/
|
||||
host_t *my_net;
|
||||
|
||||
/**
|
||||
* Network on remote side
|
||||
*/
|
||||
host_t *other_net;
|
||||
|
||||
/**
|
||||
* Number of bits for local network (subnet size)
|
||||
*/
|
||||
u_int8_t my_net_mask;
|
||||
|
||||
/**
|
||||
* Number of bits for remote network (subnet size)
|
||||
*/
|
||||
u_int8_t other_net_mask;
|
||||
struct {
|
||||
/** subnet address behind peer peer */
|
||||
host_t *net;
|
||||
/** netmask used for net */
|
||||
u_int8_t net_mask;
|
||||
} me, other;
|
||||
|
||||
/**
|
||||
* Protocol for this policy, such as TCP/UDP/ICMP...
|
||||
|
@ -73,38 +60,20 @@ struct private_child_sa_t {
|
|||
*/
|
||||
child_sa_t public;
|
||||
|
||||
/**
|
||||
* IP of this peer
|
||||
*/
|
||||
host_t *me;
|
||||
struct {
|
||||
/** address of peer */
|
||||
host_t *addr;
|
||||
/** actual used SPI, 0 if unused */
|
||||
u_int32_t spi;
|
||||
} me, other;
|
||||
|
||||
/**
|
||||
* IP of other peer
|
||||
* Protocol used to protect this SA, ESP|AH
|
||||
*/
|
||||
host_t *other;
|
||||
protocol_id_t protocol;
|
||||
|
||||
/**
|
||||
* Local security parameter index for AH protocol, 0 if not used
|
||||
*/
|
||||
u_int32_t my_ah_spi;
|
||||
|
||||
/**
|
||||
* Local security parameter index for ESP protocol, 0 if not used
|
||||
*/
|
||||
u_int32_t my_esp_spi;
|
||||
|
||||
/**
|
||||
* Remote security parameter index for AH protocol, 0 if not used
|
||||
*/
|
||||
u_int32_t other_ah_spi;
|
||||
|
||||
/**
|
||||
* Remote security parameter index for ESP protocol, 0 if not used
|
||||
*/
|
||||
u_int32_t other_esp_spi;
|
||||
|
||||
/**
|
||||
* List containing policy_id_t objects
|
||||
* List containing sa_policy_t objects
|
||||
*/
|
||||
linked_list_t *policies;
|
||||
|
||||
|
@ -113,6 +82,16 @@ struct private_child_sa_t {
|
|||
*/
|
||||
u_int32_t reqid;
|
||||
|
||||
/**
|
||||
* Lifetime before rekeying
|
||||
*/
|
||||
u_int32_t soft_lifetime;
|
||||
|
||||
/**
|
||||
* Lifetime before delete
|
||||
*/
|
||||
u_int32_t hard_lifetime;
|
||||
|
||||
/**
|
||||
* CHILD_SAs own logger
|
||||
*/
|
||||
|
@ -127,12 +106,32 @@ static u_int32_t get_reqid(private_child_sa_t *this)
|
|||
return this->reqid;
|
||||
}
|
||||
|
||||
/**
|
||||
* Implements child_sa_t.get_spi
|
||||
*/
|
||||
u_int32_t get_spi(private_child_sa_t *this, bool inbound)
|
||||
{
|
||||
if (inbound)
|
||||
{
|
||||
return this->me.spi;
|
||||
}
|
||||
return this->other.spi;
|
||||
}
|
||||
|
||||
/**
|
||||
* Implements child_sa_t.get_protocol
|
||||
*/
|
||||
protocol_id_t get_protocol(private_child_sa_t *this)
|
||||
{
|
||||
return this->protocol;
|
||||
}
|
||||
|
||||
/**
|
||||
* Implements child_sa_t.alloc
|
||||
*/
|
||||
static status_t alloc(private_child_sa_t *this, linked_list_t *proposals)
|
||||
{
|
||||
protocol_id_t protocols[2];
|
||||
protocol_id_t protocol;
|
||||
iterator_t *iterator;
|
||||
proposal_t *proposal;
|
||||
status_t status;
|
||||
|
@ -143,50 +142,21 @@ static status_t alloc(private_child_sa_t *this, linked_list_t *proposals)
|
|||
while(iterator->has_next(iterator))
|
||||
{
|
||||
iterator->current(iterator, (void**)&proposal);
|
||||
proposal->get_protocols(proposal, protocols);
|
||||
protocol = proposal->get_protocol(proposal);
|
||||
|
||||
/* check all protocols */
|
||||
for (i = 0; i<2; i++)
|
||||
{
|
||||
switch (protocols[i])
|
||||
{
|
||||
case PROTO_AH:
|
||||
/* do we already have an spi for AH?*/
|
||||
if (this->my_ah_spi == 0)
|
||||
{
|
||||
/* nope, get one */
|
||||
status = charon->kernel_interface->get_spi(
|
||||
charon->kernel_interface,
|
||||
this->me, this->other,
|
||||
PROTO_AH, FALSE,
|
||||
&(this->my_ah_spi));
|
||||
}
|
||||
/* update proposal */
|
||||
proposal->set_spi(proposal, PROTO_AH, (u_int64_t)this->my_ah_spi);
|
||||
break;
|
||||
case PROTO_ESP:
|
||||
/* do we already have an spi for ESP?*/
|
||||
if (this->my_esp_spi == 0)
|
||||
{
|
||||
/* nope, get one */
|
||||
status = charon->kernel_interface->get_spi(
|
||||
charon->kernel_interface,
|
||||
this->me, this->other,
|
||||
PROTO_ESP, FALSE,
|
||||
&(this->my_esp_spi));
|
||||
}
|
||||
/* update proposal */
|
||||
proposal->set_spi(proposal, PROTO_ESP, (u_int64_t)this->my_esp_spi);
|
||||
break;
|
||||
default:
|
||||
break;
|
||||
}
|
||||
this->me.addr, this->other.addr,
|
||||
protocol, FALSE,
|
||||
&(this->me.spi));
|
||||
|
||||
if (status != SUCCESS)
|
||||
{
|
||||
iterator->destroy(iterator);
|
||||
return FAILED;
|
||||
}
|
||||
}
|
||||
/* update proposal */
|
||||
proposal->set_spi(proposal, (u_int64_t)this->me.spi);
|
||||
}
|
||||
iterator->destroy(iterator);
|
||||
return SUCCESS;
|
||||
|
@ -194,7 +164,6 @@ static status_t alloc(private_child_sa_t *this, linked_list_t *proposals)
|
|||
|
||||
static status_t install(private_child_sa_t *this, proposal_t *proposal, prf_plus_t *prf_plus, bool mine)
|
||||
{
|
||||
protocol_id_t protocols[2];
|
||||
u_int32_t spi;
|
||||
encryption_algorithm_t enc_algo;
|
||||
integrity_algorithm_t int_algo;
|
||||
|
@ -206,59 +175,39 @@ static status_t install(private_child_sa_t *this, proposal_t *proposal, prf_plus
|
|||
host_t *src;
|
||||
host_t *dst;
|
||||
status_t status;
|
||||
u_int i;
|
||||
|
||||
/* we must assign the roles to correctly set up the SAs */
|
||||
if (mine)
|
||||
{
|
||||
src = this->me;
|
||||
dst = this->other;
|
||||
src = this->me.addr;
|
||||
dst = this->other.addr;
|
||||
}
|
||||
else
|
||||
{
|
||||
dst = this->me;
|
||||
src = this->other;
|
||||
dst = this->me.addr;
|
||||
src = this->other.addr;
|
||||
}
|
||||
|
||||
proposal->get_protocols(proposal, protocols);
|
||||
/* derive keys in order as protocols appear */
|
||||
for (i = 0; i<2; i++)
|
||||
{
|
||||
if (protocols[i] != PROTO_NONE)
|
||||
{
|
||||
this->protocol = proposal->get_protocol(proposal);
|
||||
|
||||
/* now we have to decide which spi to use. Use self allocated, if "mine",
|
||||
* or the one in the proposal, if not "mine" (others). */
|
||||
if (mine)
|
||||
{
|
||||
if (protocols[i] == PROTO_AH)
|
||||
{
|
||||
spi = this->my_ah_spi;
|
||||
spi = this->me.spi;
|
||||
}
|
||||
else
|
||||
{
|
||||
spi = this->my_esp_spi;
|
||||
}
|
||||
}
|
||||
else /* use proposals spi */
|
||||
{
|
||||
spi = proposal->get_spi(proposal, protocols[i]);
|
||||
if (protocols[i] == PROTO_AH)
|
||||
{
|
||||
this->other_ah_spi = spi;
|
||||
}
|
||||
else
|
||||
{
|
||||
this->other_esp_spi = spi;
|
||||
}
|
||||
spi = proposal->get_spi(proposal);
|
||||
this->other.spi = spi;
|
||||
}
|
||||
|
||||
/* derive encryption key first */
|
||||
if (proposal->get_algorithm(proposal, protocols[i], ENCRYPTION_ALGORITHM, &algo))
|
||||
if (proposal->get_algorithm(proposal, ENCRYPTION_ALGORITHM, &algo))
|
||||
{
|
||||
enc_algo = algo->algorithm;
|
||||
this->logger->log(this->logger, CONTROL|LEVEL1, "%s for %s: using %s %s, ",
|
||||
mapping_find(protocol_id_m, protocols[i]),
|
||||
mapping_find(protocol_id_m, this->protocol),
|
||||
mine ? "me" : "other",
|
||||
mapping_find(transform_type_m, ENCRYPTION_ALGORITHM),
|
||||
mapping_find(encryption_algorithm_m, enc_algo));
|
||||
|
@ -280,11 +229,11 @@ static status_t install(private_child_sa_t *this, proposal_t *proposal, prf_plus
|
|||
}
|
||||
|
||||
/* derive integrity key */
|
||||
if (proposal->get_algorithm(proposal, protocols[i], INTEGRITY_ALGORITHM, &algo))
|
||||
if (proposal->get_algorithm(proposal, INTEGRITY_ALGORITHM, &algo))
|
||||
{
|
||||
int_algo = algo->algorithm;
|
||||
this->logger->log(this->logger, CONTROL|LEVEL1, "%s for %s: using %s %s,",
|
||||
mapping_find(protocol_id_m, protocols[i]),
|
||||
mapping_find(protocol_id_m, this->protocol),
|
||||
mine ? "me" : "other",
|
||||
mapping_find(transform_type_m, INTEGRITY_ALGORITHM),
|
||||
mapping_find(integrity_algorithm_m, algo->algorithm));
|
||||
|
@ -299,19 +248,21 @@ static status_t install(private_child_sa_t *this, proposal_t *proposal, prf_plus
|
|||
{
|
||||
int_algo = AUTH_UNDEFINED;
|
||||
}
|
||||
|
||||
/* send keys down to kernel */
|
||||
this->logger->log(this->logger, CONTROL|LEVEL1,
|
||||
"installing 0x%.8x for %s, src %s dst %s",
|
||||
ntohl(spi), mapping_find(protocol_id_m, protocols[i]),
|
||||
ntohl(spi), mapping_find(protocol_id_m, this->protocol),
|
||||
src->get_address(src), dst->get_address(dst));
|
||||
status = charon->kernel_interface->add_sa(charon->kernel_interface,
|
||||
src, dst,
|
||||
spi, protocols[i],
|
||||
spi, this->protocol,
|
||||
this->reqid,
|
||||
5, 30,
|
||||
mine ? 0 : this->soft_lifetime,
|
||||
this->hard_lifetime,
|
||||
enc_algo, enc_key,
|
||||
int_algo, int_key, mine);
|
||||
/* clean up for next round */
|
||||
/* clean up */
|
||||
if (enc_algo != ENCR_UNDEFINED)
|
||||
{
|
||||
chunk_free(&enc_key);
|
||||
|
@ -320,14 +271,7 @@ static status_t install(private_child_sa_t *this, proposal_t *proposal, prf_plus
|
|||
{
|
||||
chunk_free(&int_key);
|
||||
}
|
||||
|
||||
if (status != SUCCESS)
|
||||
{
|
||||
return FAILED;
|
||||
}
|
||||
}
|
||||
}
|
||||
return SUCCESS;
|
||||
return status;
|
||||
}
|
||||
|
||||
static status_t add(private_child_sa_t *this, proposal_t *proposal, prf_plus_t *prf_plus)
|
||||
|
@ -412,8 +356,8 @@ static status_t add_policies(private_child_sa_t *this, linked_list_t *my_ts_list
|
|||
from_port = my_ts->get_from_port(my_ts);
|
||||
to_port = my_ts->get_to_port(my_ts);
|
||||
from_port = (from_port != to_port) ? 0 : from_port;
|
||||
policy->my_net = host_create_from_chunk(family, from_addr, from_port);
|
||||
policy->my_net_mask = my_ts->get_netmask(my_ts);
|
||||
policy->me.net = host_create_from_chunk(family, from_addr, from_port);
|
||||
policy->me.net_mask = my_ts->get_netmask(my_ts);
|
||||
chunk_free(&from_addr);
|
||||
|
||||
/* calculate net and ports for remote side */
|
||||
|
@ -422,41 +366,44 @@ static status_t add_policies(private_child_sa_t *this, linked_list_t *my_ts_list
|
|||
from_port = other_ts->get_from_port(other_ts);
|
||||
to_port = other_ts->get_to_port(other_ts);
|
||||
from_port = (from_port != to_port) ? 0 : from_port;
|
||||
policy->other_net = host_create_from_chunk(family, from_addr, from_port);
|
||||
policy->other_net_mask = other_ts->get_netmask(other_ts);
|
||||
policy->other.net = host_create_from_chunk(family, from_addr, from_port);
|
||||
policy->other.net_mask = other_ts->get_netmask(other_ts);
|
||||
chunk_free(&from_addr);
|
||||
|
||||
/* install 3 policies: out, in and forward */
|
||||
status = charon->kernel_interface->add_policy(charon->kernel_interface,
|
||||
this->me, this->other,
|
||||
policy->my_net, policy->other_net,
|
||||
policy->my_net_mask, policy->other_net_mask,
|
||||
this->me.addr, this->other.addr,
|
||||
policy->me.net, policy->other.net,
|
||||
policy->me.net_mask, policy->other.net_mask,
|
||||
XFRM_POLICY_OUT, policy->upper_proto,
|
||||
this->my_ah_spi, this->my_esp_spi,
|
||||
this->protocol == PROTO_AH,
|
||||
this->protocol == PROTO_ESP,
|
||||
this->reqid);
|
||||
|
||||
status |= charon->kernel_interface->add_policy(charon->kernel_interface,
|
||||
this->other, this->me,
|
||||
policy->other_net, policy->my_net,
|
||||
policy->other_net_mask, policy->my_net_mask,
|
||||
this->other.addr, this->me.addr,
|
||||
policy->other.net, policy->me.net,
|
||||
policy->other.net_mask, policy->me.net_mask,
|
||||
XFRM_POLICY_IN, policy->upper_proto,
|
||||
this->my_ah_spi, this->my_esp_spi,
|
||||
this->protocol == PROTO_AH,
|
||||
this->protocol == PROTO_ESP,
|
||||
this->reqid);
|
||||
|
||||
status |= charon->kernel_interface->add_policy(charon->kernel_interface,
|
||||
this->other, this->me,
|
||||
policy->other_net, policy->my_net,
|
||||
policy->other_net_mask, policy->my_net_mask,
|
||||
this->other.addr, this->me.addr,
|
||||
policy->other.net, policy->me.net,
|
||||
policy->other.net_mask, policy->me.net_mask,
|
||||
XFRM_POLICY_FWD, policy->upper_proto,
|
||||
this->my_ah_spi, this->my_esp_spi,
|
||||
this->protocol == PROTO_AH,
|
||||
this->protocol == PROTO_ESP,
|
||||
this->reqid);
|
||||
|
||||
if (status != SUCCESS)
|
||||
{
|
||||
my_iter->destroy(my_iter);
|
||||
other_iter->destroy(other_iter);
|
||||
policy->my_net->destroy(policy->my_net);
|
||||
policy->other_net->destroy(policy->other_net);
|
||||
policy->me.net->destroy(policy->me.net);
|
||||
policy->other.net->destroy(policy->other.net);
|
||||
free(policy);
|
||||
return status;
|
||||
}
|
||||
|
@ -465,7 +412,6 @@ static status_t add_policies(private_child_sa_t *this, linked_list_t *my_ts_list
|
|||
this->policies->insert_last(this->policies, policy);
|
||||
}
|
||||
}
|
||||
|
||||
my_iter->destroy(my_iter);
|
||||
other_iter->destroy(other_iter);
|
||||
return SUCCESS;
|
||||
|
@ -486,10 +432,11 @@ static void log_status(private_child_sa_t *this, logger_t *logger, char* name)
|
|||
{
|
||||
logger = this->logger;
|
||||
}
|
||||
logger->log(logger, CONTROL|LEVEL1, " \"%s\": protected with ESP (0x%x/0x%x), AH (0x%x,0x%x):",
|
||||
logger->log(logger, CONTROL|LEVEL1, " \"%s\": protected with %s (0x%x/0x%x), reqid %d:",
|
||||
name,
|
||||
htonl(this->my_esp_spi), htonl(this->other_esp_spi),
|
||||
htonl(this->my_ah_spi), htonl(this->other_ah_spi));
|
||||
this->protocol == PROTO_ESP ? "ESP" : "AH",
|
||||
htonl(this->me.spi), htonl(this->other.spi),
|
||||
this->reqid);
|
||||
iterator = this->policies->create_iterator(this->policies, TRUE);
|
||||
while (iterator->has_next(iterator))
|
||||
{
|
||||
|
@ -508,9 +455,9 @@ static void log_status(private_child_sa_t *this, logger_t *logger, char* name)
|
|||
}
|
||||
logger->log(logger, CONTROL, " \"%s\": %s/%d==%s==%s/%d",
|
||||
name,
|
||||
policy->my_net->get_address(policy->my_net), policy->my_net_mask,
|
||||
policy->me.net->get_address(policy->me.net), policy->me.net_mask,
|
||||
proto_name,
|
||||
policy->other_net->get_address(policy->other_net), policy->other_net_mask);
|
||||
policy->other.net->get_address(policy->other.net), policy->other.net_mask);
|
||||
}
|
||||
iterator->destroy(iterator);
|
||||
}
|
||||
|
@ -525,43 +472,36 @@ static void destroy(private_child_sa_t *this)
|
|||
while (this->policies->remove_last(this->policies, (void**)&policy) == SUCCESS)
|
||||
{
|
||||
charon->kernel_interface->del_policy(charon->kernel_interface,
|
||||
this->me, this->other,
|
||||
policy->my_net, policy->other_net,
|
||||
policy->my_net_mask, policy->other_net_mask,
|
||||
this->me.addr, this->other.addr,
|
||||
policy->me.net, policy->other.net,
|
||||
policy->me.net_mask, policy->other.net_mask,
|
||||
XFRM_POLICY_OUT, policy->upper_proto);
|
||||
|
||||
charon->kernel_interface->del_policy(charon->kernel_interface,
|
||||
this->other, this->me,
|
||||
policy->other_net, policy->my_net,
|
||||
policy->other_net_mask, policy->my_net_mask,
|
||||
this->other.addr, this->me.addr,
|
||||
policy->other.net, policy->me.net,
|
||||
policy->other.net_mask, policy->me.net_mask,
|
||||
XFRM_POLICY_IN, policy->upper_proto);
|
||||
|
||||
charon->kernel_interface->del_policy(charon->kernel_interface,
|
||||
this->other, this->me,
|
||||
policy->other_net, policy->my_net,
|
||||
policy->other_net_mask, policy->my_net_mask,
|
||||
this->other.addr, this->me.addr,
|
||||
policy->other.net, policy->me.net,
|
||||
policy->other.net_mask, policy->me.net_mask,
|
||||
XFRM_POLICY_FWD, policy->upper_proto);
|
||||
|
||||
policy->my_net->destroy(policy->my_net);
|
||||
policy->other_net->destroy(policy->other_net);
|
||||
policy->me.net->destroy(policy->me.net);
|
||||
policy->other.net->destroy(policy->other.net);
|
||||
free(policy);
|
||||
}
|
||||
this->policies->destroy(this->policies);
|
||||
|
||||
/* delete SAs in the kernel, if they are set up */
|
||||
if (this->my_ah_spi)
|
||||
if (this->protocol != PROTO_NONE)
|
||||
{
|
||||
charon->kernel_interface->del_sa(charon->kernel_interface,
|
||||
this->other, this->my_ah_spi, PROTO_AH);
|
||||
this->other.addr, this->me.spi, this->protocol);
|
||||
charon->kernel_interface->del_sa(charon->kernel_interface,
|
||||
this->me, this->other_ah_spi, PROTO_AH);
|
||||
}
|
||||
if (this->my_esp_spi)
|
||||
{
|
||||
charon->kernel_interface->del_sa(charon->kernel_interface,
|
||||
this->other, this->my_esp_spi, PROTO_ESP);
|
||||
charon->kernel_interface->del_sa(charon->kernel_interface,
|
||||
this->me, this->other_esp_spi, PROTO_ESP);
|
||||
this->me.addr, this->other.spi, this->protocol);
|
||||
}
|
||||
free(this);
|
||||
}
|
||||
|
@ -569,13 +509,15 @@ static void destroy(private_child_sa_t *this)
|
|||
/*
|
||||
* Described in header.
|
||||
*/
|
||||
child_sa_t * child_sa_create(host_t *me, host_t* other)
|
||||
child_sa_t * child_sa_create(host_t *me, host_t* other, u_int32_t soft_lifetime, u_int32_t hard_lifetime)
|
||||
{
|
||||
static u_int32_t reqid = 2000000000;
|
||||
private_child_sa_t *this = malloc_thing(private_child_sa_t);
|
||||
|
||||
/* public functions */
|
||||
this->public.get_reqid = (u_int32_t(*)(child_sa_t*))get_reqid;
|
||||
this->public.get_spi = (u_int32_t(*)(child_sa_t*, bool))get_spi;
|
||||
this->public.get_protocol = (protocol_id_t(*)(child_sa_t*))get_protocol;
|
||||
this->public.alloc = (status_t(*)(child_sa_t*,linked_list_t*))alloc;
|
||||
this->public.add = (status_t(*)(child_sa_t*,proposal_t*,prf_plus_t*))add;
|
||||
this->public.update = (status_t(*)(child_sa_t*,proposal_t*,prf_plus_t*))update;
|
||||
|
@ -585,14 +527,15 @@ child_sa_t * child_sa_create(host_t *me, host_t* other)
|
|||
|
||||
/* private data */
|
||||
this->logger = logger_manager->get_logger(logger_manager, CHILD_SA);
|
||||
this->me = me;
|
||||
this->other = other;
|
||||
this->my_ah_spi = 0;
|
||||
this->my_esp_spi = 0;
|
||||
this->other_ah_spi = 0;
|
||||
this->other_esp_spi = 0;
|
||||
this->me.addr = me;
|
||||
this->other.addr = other;
|
||||
this->me.spi = 0;
|
||||
this->other.spi = 0;
|
||||
this->soft_lifetime = soft_lifetime;
|
||||
this->hard_lifetime = hard_lifetime;
|
||||
this->reqid = ++reqid;
|
||||
this->policies = linked_list_create();
|
||||
this->protocol = PROTO_NONE;
|
||||
|
||||
return (&this->public);
|
||||
}
|
||||
|
|
|
@ -27,6 +27,7 @@
|
|||
#include <types.h>
|
||||
#include <crypto/prf_plus.h>
|
||||
#include <encoding/payloads/proposal_substructure.h>
|
||||
#include <config/proposal.h>
|
||||
#include <utils/logger.h>
|
||||
|
||||
typedef struct child_sa_t child_sa_t;
|
||||
|
@ -69,6 +70,27 @@ struct child_sa_t {
|
|||
*/
|
||||
u_int32_t (*get_reqid)(child_sa_t *this);
|
||||
|
||||
/**
|
||||
* @brief Get the SPI of this CHILD_SA.
|
||||
*
|
||||
* Set the boolean parameter inbound to TRUE to
|
||||
* get the SPI for which we receive packets, use
|
||||
* FALSE to get those we use for sending packets.
|
||||
*
|
||||
* @param this calling object
|
||||
* @param inbound TRUE to get inbound SPI, FALSE for outbound.
|
||||
* @return spi of the CHILD SA
|
||||
*/
|
||||
u_int32_t (*get_spi) (child_sa_t *this, bool inbound);
|
||||
|
||||
/**
|
||||
* @brief Get the protocol which this CHILD_SA uses to protect traffic.
|
||||
*
|
||||
* @param this calling object
|
||||
* @return AH | ESP
|
||||
*/
|
||||
protocol_id_t (*get_protocol) (child_sa_t *this);
|
||||
|
||||
/**
|
||||
* @brief Allocate SPIs for a given proposals.
|
||||
*
|
||||
|
@ -151,10 +173,12 @@ struct child_sa_t {
|
|||
*
|
||||
* @param me own address
|
||||
* @param other remote address
|
||||
* @param soft_lifetime time before rekeying
|
||||
* @param hard_lifteime time before delete
|
||||
* @return child_sa_t object
|
||||
*
|
||||
* @ingroup sa
|
||||
*/
|
||||
child_sa_t * child_sa_create(host_t *me, host_t *other);
|
||||
child_sa_t * child_sa_create(host_t *me, host_t *other, u_int32_t soft_lifetime, u_int32_t hard_lifetime);
|
||||
|
||||
#endif /*CHILD_SA_H_*/
|
||||
|
|
|
@ -38,8 +38,10 @@
|
|||
#include <encoding/payloads/delete_payload.h>
|
||||
#include <encoding/payloads/transform_substructure.h>
|
||||
#include <encoding/payloads/transform_attribute.h>
|
||||
#include <encoding/payloads/ts_payload.h>
|
||||
#include <sa/states/initiator_init.h>
|
||||
#include <sa/states/responder_init.h>
|
||||
#include <sa/states/create_child_sa_requested.h>
|
||||
#include <queues/jobs/retransmit_request_job.h>
|
||||
#include <queues/jobs/delete_established_ike_sa_job.h>
|
||||
#include <queues/jobs/delete_half_open_ike_sa_job.h>
|
||||
|
@ -84,30 +86,12 @@ struct private_ike_sa_t {
|
|||
state_t *current_state;
|
||||
|
||||
/**
|
||||
* INIT configuration, needed for the IKE_SA_INIT exchange.
|
||||
*
|
||||
* Gets set in states:
|
||||
* - INITATOR_INIT
|
||||
* - RESPONDER_INIT
|
||||
*
|
||||
* Available in states:
|
||||
* - IKE_SA_INIT_REQUESTED
|
||||
* - IKE_SA_INIT_RESPONDED
|
||||
* - IKE_AUTH_REQUESTED
|
||||
* -IKE_SA_ESTABLISHED
|
||||
* Connection definition used for this IKE_SA
|
||||
*/
|
||||
connection_t *connection;
|
||||
|
||||
/**
|
||||
* SA configuration, needed for all other exchanges after IKE_SA_INIT exchange.
|
||||
*
|
||||
* Gets set in states:
|
||||
* - IKE_SA_INIT_REQUESTED
|
||||
* - IKE_SA_INIT_RESPONDED
|
||||
*
|
||||
* Available in states:
|
||||
* - IKE_AUTH_REQUESTED
|
||||
* -IKE_SA_ESTABLISHED
|
||||
* Policy definition used for this IKE_SA
|
||||
*/
|
||||
policy_t *policy;
|
||||
|
||||
|
@ -189,77 +173,6 @@ struct private_ike_sa_t {
|
|||
logger_t *logger;
|
||||
};
|
||||
|
||||
/**
|
||||
* Implementation of ike_sa_t.process_message.
|
||||
*/
|
||||
static status_t process_message(private_ike_sa_t *this, message_t *message)
|
||||
{
|
||||
u_int32_t message_id;
|
||||
exchange_type_t exchange_type;
|
||||
bool is_request;
|
||||
/* We must process each request or response from remote host */
|
||||
|
||||
/* Find out type of message (request or response) */
|
||||
is_request = message->get_request(message);
|
||||
exchange_type = message->get_exchange_type(message);
|
||||
|
||||
this->logger->log(this->logger, CONTROL|LEVEL1, "Process %s of exchange type %s",
|
||||
(is_request) ? "request" : "response",mapping_find(exchange_type_m,exchange_type));
|
||||
|
||||
message_id = message->get_message_id(message);
|
||||
|
||||
/*
|
||||
* It has to be checked, if the message has to be resent cause of lost packets!
|
||||
*/
|
||||
if (is_request && (message_id == (this->message_id_in - 1)))
|
||||
{
|
||||
/* resend last message, if any */
|
||||
if (this->last_responded_message)
|
||||
{
|
||||
packet_t *packet = this->last_responded_message->get_packet(this->last_responded_message);
|
||||
this->logger->log(this->logger, CONTROL|LEVEL1, "Resent request detected. Send stored reply.");
|
||||
charon->send_queue->add(charon->send_queue, packet);
|
||||
return SUCCESS;
|
||||
}
|
||||
else
|
||||
{
|
||||
/* somebody does something nasty here... */
|
||||
return FAILED;
|
||||
}
|
||||
}
|
||||
|
||||
/* Now, the message id is checked for request AND reply */
|
||||
if (is_request)
|
||||
{
|
||||
/* In a request, the message has to be this->message_id_in (other case is already handled) */
|
||||
if (message_id != this->message_id_in)
|
||||
{
|
||||
this->logger->log(this->logger, ERROR | LEVEL1,
|
||||
"Message request with message id %d received, but %d expected",
|
||||
message_id,this->message_id_in);
|
||||
return FAILED;
|
||||
}
|
||||
}
|
||||
else
|
||||
{
|
||||
/* In a reply, the message has to be this->message_id_out -1 cause it is the reply to the last sent message*/
|
||||
if (message_id != (this->message_id_out - 1))
|
||||
{
|
||||
this->logger->log(this->logger, ERROR | LEVEL1,
|
||||
"Message reply with message id %d received, but %d expected",
|
||||
message_id,this->message_id_in);
|
||||
return FAILED;
|
||||
}
|
||||
}
|
||||
|
||||
/* now the message is processed by the current state object.
|
||||
* The specific state object is responsible to check if a message can be received in
|
||||
* the state it represents.
|
||||
* The current state is also responsible to change the state object to the next state
|
||||
* by calling protected_ike_sa_t.set_new_state*/
|
||||
return this->current_state->process_message(this->current_state,message);
|
||||
}
|
||||
|
||||
/**
|
||||
* Implementation of protected_ike_sa_t.build_message.
|
||||
*/
|
||||
|
@ -283,95 +196,6 @@ static void build_message(private_ike_sa_t *this, exchange_type_t type, bool req
|
|||
*message = new_message;
|
||||
}
|
||||
|
||||
/**
|
||||
* Implementation of protected_ike_sa_t.initiate_connection.
|
||||
*/
|
||||
static status_t initiate_connection(private_ike_sa_t *this, connection_t *connection)
|
||||
{
|
||||
initiator_init_t *current_state;
|
||||
|
||||
/* Work is done in state object of type INITIATOR_INIT. All other states are not
|
||||
* initial states and so don't have a initiate_connection function */
|
||||
|
||||
if (this->current_state->get_state(this->current_state) != INITIATOR_INIT)
|
||||
{
|
||||
return FAILED;
|
||||
}
|
||||
|
||||
current_state = (initiator_init_t *) this->current_state;
|
||||
|
||||
return current_state->initiate_connection(current_state, connection);
|
||||
}
|
||||
|
||||
/**
|
||||
* Implementation of ike_sa_t.get_id.
|
||||
*/
|
||||
static ike_sa_id_t* get_id(private_ike_sa_t *this)
|
||||
{
|
||||
return this->ike_sa_id;
|
||||
}
|
||||
|
||||
/**
|
||||
* Implementation of ike_sa_t.get_my_host.
|
||||
*/
|
||||
static host_t* get_my_host(private_ike_sa_t *this)
|
||||
{
|
||||
return this->connection->get_my_host(this->connection);;
|
||||
}
|
||||
|
||||
/**
|
||||
* Implementation of ike_sa_t.get_other_host.
|
||||
*/
|
||||
static host_t* get_other_host(private_ike_sa_t *this)
|
||||
{
|
||||
return this->connection->get_other_host(this->connection);;
|
||||
}
|
||||
|
||||
/**
|
||||
* Implementation of ike_sa_t.get_my_id.
|
||||
*/
|
||||
static identification_t* get_my_id(private_ike_sa_t *this)
|
||||
{
|
||||
return this->policy->get_my_id(this->policy);;
|
||||
}
|
||||
|
||||
/**
|
||||
* Implementation of ike_sa_t.get_other_id.
|
||||
*/
|
||||
static identification_t* get_other_id(private_ike_sa_t *this)
|
||||
{
|
||||
return this->policy->get_other_id(this->policy);;
|
||||
}
|
||||
|
||||
/**
|
||||
* Implementation of ike_sa_t.retransmit_request.
|
||||
*/
|
||||
status_t retransmit_request (private_ike_sa_t *this, u_int32_t message_id)
|
||||
{
|
||||
packet_t *packet;
|
||||
|
||||
if (this->last_requested_message == NULL)
|
||||
{
|
||||
return NOT_FOUND;
|
||||
}
|
||||
|
||||
if (message_id == this->last_replied_message_id)
|
||||
{
|
||||
return NOT_FOUND;
|
||||
}
|
||||
|
||||
if ((this->last_requested_message->get_message_id(this->last_requested_message)) != message_id)
|
||||
{
|
||||
return NOT_FOUND;
|
||||
}
|
||||
|
||||
this->logger->log(this->logger, CONTROL | LEVEL1, "Going to retransmit message with id %d",message_id);
|
||||
packet = this->last_requested_message->get_packet(this->last_requested_message);
|
||||
charon->send_queue->add(charon->send_queue, packet);
|
||||
|
||||
return SUCCESS;
|
||||
}
|
||||
|
||||
/**
|
||||
* Implementation of ike_sa_t.get_state.
|
||||
*/
|
||||
|
@ -454,6 +278,74 @@ static prf_t *get_prf_auth_r(private_ike_sa_t *this)
|
|||
{
|
||||
return this->prf_auth_r;
|
||||
}
|
||||
/**
|
||||
* Implementation of ike_sa_t.get_id.
|
||||
*/
|
||||
static ike_sa_id_t* get_id(private_ike_sa_t *this)
|
||||
{
|
||||
return this->ike_sa_id;
|
||||
}
|
||||
|
||||
/**
|
||||
* Implementation of ike_sa_t.get_my_host.
|
||||
*/
|
||||
static host_t* get_my_host(private_ike_sa_t *this)
|
||||
{
|
||||
return this->connection->get_my_host(this->connection);;
|
||||
}
|
||||
|
||||
/**
|
||||
* Implementation of ike_sa_t.get_other_host.
|
||||
*/
|
||||
static host_t* get_other_host(private_ike_sa_t *this)
|
||||
{
|
||||
return this->connection->get_other_host(this->connection);;
|
||||
}
|
||||
|
||||
/**
|
||||
* Implementation of ike_sa_t.get_my_id.
|
||||
*/
|
||||
static identification_t* get_my_id(private_ike_sa_t *this)
|
||||
{
|
||||
return this->policy->get_my_id(this->policy);;
|
||||
}
|
||||
|
||||
/**
|
||||
* Implementation of ike_sa_t.get_other_id.
|
||||
*/
|
||||
static identification_t* get_other_id(private_ike_sa_t *this)
|
||||
{
|
||||
return this->policy->get_other_id(this->policy);;
|
||||
}
|
||||
|
||||
/**
|
||||
* Implementation of ike_sa_t.retransmit_request.
|
||||
*/
|
||||
status_t retransmit_request (private_ike_sa_t *this, u_int32_t message_id)
|
||||
{
|
||||
packet_t *packet;
|
||||
|
||||
if (this->last_requested_message == NULL)
|
||||
{
|
||||
return NOT_FOUND;
|
||||
}
|
||||
|
||||
if (message_id == this->last_replied_message_id)
|
||||
{
|
||||
return NOT_FOUND;
|
||||
}
|
||||
|
||||
if ((this->last_requested_message->get_message_id(this->last_requested_message)) != message_id)
|
||||
{
|
||||
return NOT_FOUND;
|
||||
}
|
||||
|
||||
this->logger->log(this->logger, CONTROL | LEVEL1, "Going to retransmit message with id %d",message_id);
|
||||
packet = this->last_requested_message->get_packet(this->last_requested_message);
|
||||
charon->send_queue->add(charon->send_queue, packet);
|
||||
|
||||
return SUCCESS;
|
||||
}
|
||||
|
||||
|
||||
/**
|
||||
|
@ -474,7 +366,7 @@ static status_t build_transforms(private_ike_sa_t *this, proposal_t *proposal, d
|
|||
{
|
||||
this->prf->destroy(this->prf);
|
||||
}
|
||||
proposal->get_algorithm(proposal, PROTO_IKE, PSEUDO_RANDOM_FUNCTION, &algo);
|
||||
proposal->get_algorithm(proposal, PSEUDO_RANDOM_FUNCTION, &algo);
|
||||
if (algo == NULL)
|
||||
{
|
||||
this->logger->log(this->logger, ERROR|LEVEL2, "No PRF algoithm selected!?");
|
||||
|
@ -540,7 +432,7 @@ static status_t build_transforms(private_ike_sa_t *this, proposal_t *proposal, d
|
|||
|
||||
|
||||
/* SK_ai/SK_ar used for integrity protection */
|
||||
proposal->get_algorithm(proposal, PROTO_IKE, INTEGRITY_ALGORITHM, &algo);
|
||||
proposal->get_algorithm(proposal, INTEGRITY_ALGORITHM, &algo);
|
||||
if (algo == NULL)
|
||||
{
|
||||
this->logger->log(this->logger, ERROR|LEVEL2, "No integrity algoithm selected?!");
|
||||
|
@ -578,7 +470,7 @@ static status_t build_transforms(private_ike_sa_t *this, proposal_t *proposal, d
|
|||
|
||||
|
||||
/* SK_ei/SK_er used for encryption */
|
||||
proposal->get_algorithm(proposal, PROTO_IKE, ENCRYPTION_ALGORITHM, &algo);
|
||||
proposal->get_algorithm(proposal, ENCRYPTION_ALGORITHM, &algo);
|
||||
if (algo == NULL)
|
||||
{
|
||||
this->logger->log(this->logger, ERROR|LEVEL2, "No encryption algoithm selected!?");
|
||||
|
@ -616,7 +508,7 @@ static status_t build_transforms(private_ike_sa_t *this, proposal_t *proposal, d
|
|||
chunk_free(&key);
|
||||
|
||||
/* SK_pi/SK_pr used for authentication */
|
||||
proposal->get_algorithm(proposal, PROTO_IKE, PSEUDO_RANDOM_FUNCTION, &algo);
|
||||
proposal->get_algorithm(proposal, PSEUDO_RANDOM_FUNCTION, &algo);
|
||||
if (this->prf_auth_i != NULL)
|
||||
{
|
||||
this->prf_auth_i->destroy(this->prf_auth_i);
|
||||
|
@ -827,7 +719,7 @@ static void send_notify(private_ike_sa_t *this, exchange_type_t exchange_type, n
|
|||
|
||||
this->logger->log(this->logger, CONTROL|LEVEL2, "Going to build message with notify payload");
|
||||
/* set up the reply */
|
||||
this->protected.build_message(&(this->protected), exchange_type, FALSE, &response);
|
||||
build_message(this, exchange_type, FALSE, &response);
|
||||
payload = notify_payload_create_from_protocol_and_type(PROTO_IKE, type);
|
||||
if ((data.ptr != NULL) && (data.len > 0))
|
||||
{
|
||||
|
@ -886,6 +778,220 @@ static void add_child_sa(private_ike_sa_t *this, child_sa_t *child_sa)
|
|||
this->child_sas->insert_last(this->child_sas, child_sa);
|
||||
}
|
||||
|
||||
/**
|
||||
* Process an informational request
|
||||
*/
|
||||
static status_t process_informational(private_ike_sa_t *this, message_t *request)
|
||||
{
|
||||
delete_payload_t *delete_request = NULL;
|
||||
message_t *response;
|
||||
iterator_t *payloads;
|
||||
state_t *old_state;
|
||||
|
||||
build_message(this, INFORMATIONAL, FALSE, &response);
|
||||
|
||||
payloads = request->get_payload_iterator(request);
|
||||
while (payloads->has_next(payloads))
|
||||
{
|
||||
payload_t *payload;
|
||||
payloads->current(payloads, (void**)&payload);
|
||||
|
||||
switch (payload->get_type(payload))
|
||||
{
|
||||
case DELETE:
|
||||
{
|
||||
delete_request = (delete_payload_t *) payload;
|
||||
break;
|
||||
}
|
||||
default:
|
||||
{
|
||||
this->logger->log(this->logger, ERROR|LEVEL1, "Ignoring Payload %s (%d)",
|
||||
mapping_find(payload_type_m, payload->get_type(payload)),
|
||||
payload->get_type(payload));
|
||||
break;
|
||||
}
|
||||
}
|
||||
}
|
||||
/* iterator can be destroyed */
|
||||
payloads->destroy(payloads);
|
||||
|
||||
if (delete_request)
|
||||
{
|
||||
if (delete_request->get_protocol_id(delete_request) == PROTO_IKE)
|
||||
{
|
||||
this->logger->log(this->logger, CONTROL, "DELETE request for IKE_SA received");
|
||||
if (send_response(this, response) != SUCCESS)
|
||||
{
|
||||
/* something is seriously wrong, kill connection */
|
||||
this->logger->log(this->logger, AUDIT, "Unable to send reply. Deleting IKE_SA");
|
||||
response->destroy(response);
|
||||
}
|
||||
/* switch to delete_requested. This is not absolutly correct, but we
|
||||
* allow the clean destruction of an SA only in this state. */
|
||||
old_state = this->current_state;
|
||||
set_new_state(this, (state_t*)delete_requested_create(this));
|
||||
old_state->destroy(old_state);
|
||||
return DESTROY_ME;
|
||||
}
|
||||
else
|
||||
{
|
||||
this->logger->log(this->logger, CONTROL, "DELETE request for CHILD_SA received. Ignored");
|
||||
response->destroy(response);
|
||||
return FAILED;
|
||||
}
|
||||
}
|
||||
return SUCCESS;
|
||||
}
|
||||
|
||||
|
||||
/**
|
||||
* Process an informational request
|
||||
*/
|
||||
static status_t process_create_child_sa(private_ike_sa_t *this, message_t *request)
|
||||
{
|
||||
|
||||
}
|
||||
|
||||
/**
|
||||
* Implementation of ike_sa_t.process_message.
|
||||
*/
|
||||
static status_t process_message(private_ike_sa_t *this, message_t *message)
|
||||
{
|
||||
u_int32_t message_id;
|
||||
exchange_type_t exchange_type;
|
||||
bool is_request;
|
||||
status_t status;
|
||||
crypter_t *crypter;
|
||||
signer_t *signer;
|
||||
|
||||
/* Find out type of message (request or response) */
|
||||
is_request = message->get_request(message);
|
||||
exchange_type = message->get_exchange_type(message);
|
||||
|
||||
this->logger->log(this->logger, CONTROL|LEVEL1, "Process %s of exchange type %s",
|
||||
(is_request) ? "request" : "response",
|
||||
mapping_find(exchange_type_m, exchange_type));
|
||||
|
||||
message_id = message->get_message_id(message);
|
||||
|
||||
/* check if message already received, and retransmit its reply */
|
||||
if (is_request && (message_id == (this->message_id_in - 1)))
|
||||
{
|
||||
/* resend last message, if any */
|
||||
if (this->last_responded_message)
|
||||
{
|
||||
packet_t *packet = this->last_responded_message->get_packet(this->last_responded_message);
|
||||
this->logger->log(this->logger, CONTROL|LEVEL1, "Resent request detected. Send stored reply.");
|
||||
charon->send_queue->add(charon->send_queue, packet);
|
||||
return SUCCESS;
|
||||
}
|
||||
else
|
||||
{
|
||||
/* somebody does something nasty here... */
|
||||
return FAILED;
|
||||
}
|
||||
}
|
||||
|
||||
/* Now, the message id is checked for request AND reply */
|
||||
if (is_request)
|
||||
{
|
||||
/* In a request, the message has to be this->message_id_in (other case is already handled) */
|
||||
if (message_id != this->message_id_in)
|
||||
{
|
||||
this->logger->log(this->logger, ERROR | LEVEL1,
|
||||
"Message request with message id %d received, but %d expected",
|
||||
message_id,this->message_id_in);
|
||||
return FAILED;
|
||||
}
|
||||
}
|
||||
else
|
||||
{
|
||||
/* In a reply, the message has to be this->message_id_out -1 cause it is the reply to the last sent message*/
|
||||
if (message_id != (this->message_id_out - 1))
|
||||
{
|
||||
this->logger->log(this->logger, ERROR | LEVEL1,
|
||||
"Message reply with message id %d received, but %d expected",
|
||||
message_id,this->message_id_in);
|
||||
return FAILED;
|
||||
}
|
||||
}
|
||||
|
||||
if (this->current_state->get_state(this->current_state) == IKE_SA_ESTABLISHED)
|
||||
{
|
||||
if (is_request)
|
||||
{
|
||||
/* get signer for verification and crypter for decryption */
|
||||
if (!this->ike_sa_id->is_initiator(this->ike_sa_id))
|
||||
{
|
||||
crypter = this->crypter_initiator;
|
||||
signer = this->signer_initiator;
|
||||
}
|
||||
else
|
||||
{
|
||||
crypter = this->crypter_responder;
|
||||
signer = this->signer_responder;
|
||||
}
|
||||
|
||||
/* parse incoming message */
|
||||
status = message->parse_body(message, crypter, signer);
|
||||
if (status != SUCCESS)
|
||||
{
|
||||
this->logger->log(this->logger, AUDIT, "%s request decryption failed. Ignoring message",
|
||||
mapping_find(exchange_type_m, message->get_exchange_type(message)));
|
||||
return status;
|
||||
}
|
||||
switch (message->get_exchange_type(message))
|
||||
{
|
||||
case CREATE_CHILD_SA:
|
||||
return process_create_child_sa(this, message);
|
||||
case INFORMATIONAL:
|
||||
return process_informational(this, message);
|
||||
default:
|
||||
this->logger->log(this->logger, CONTROL,
|
||||
"Received a %s request, ignored",
|
||||
mapping_find(exchange_type_m, exchange_type));
|
||||
}
|
||||
}
|
||||
else
|
||||
{
|
||||
this->logger->log(this->logger, ERROR|LEVEL1,
|
||||
"Received an unexpected %s response, ignored",
|
||||
mapping_find(exchange_type_m, exchange_type));
|
||||
}
|
||||
return FAILED;
|
||||
}
|
||||
else
|
||||
{
|
||||
/* now the message is processed by the current state object.
|
||||
* The specific state object is responsible to check if a message can be received in
|
||||
* the state it represents.
|
||||
* The current state is also responsible to change the state object to the next state
|
||||
* by calling protected_ike_sa_t.set_new_state
|
||||
*/
|
||||
return this->current_state->process_message(this->current_state, message);
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Implementation of protected_ike_sa_t.initiate_connection.
|
||||
*/
|
||||
static status_t initiate_connection(private_ike_sa_t *this, connection_t *connection)
|
||||
{
|
||||
initiator_init_t *current_state;
|
||||
|
||||
/* Work is done in state object of type INITIATOR_INIT. All other states are not
|
||||
* initial states and so don't have a initiate_connection function */
|
||||
|
||||
if (this->current_state->get_state(this->current_state) != INITIATOR_INIT)
|
||||
{
|
||||
return FAILED;
|
||||
}
|
||||
|
||||
current_state = (initiator_init_t *) this->current_state;
|
||||
|
||||
return current_state->initiate_connection(current_state, connection);
|
||||
}
|
||||
|
||||
/**
|
||||
* Implementation of ike_sa_t.get_child_sa.
|
||||
*/
|
||||
|
@ -908,6 +1014,83 @@ static child_sa_t *get_child_sa(private_ike_sa_t *this, u_int32_t reqid)
|
|||
return found;
|
||||
}
|
||||
|
||||
/**
|
||||
* Implementation of ike_sa_t.delete_child_sa.
|
||||
*/
|
||||
static status_t delete_child_sa(private_ike_sa_t *this, u_int32_t reqid)
|
||||
{
|
||||
return NOT_FOUND;
|
||||
}
|
||||
|
||||
/**
|
||||
* Implementation of ike_sa_t.rekey_child_sa.
|
||||
*/
|
||||
static status_t rekey_child_sa(private_ike_sa_t *this, u_int32_t reqid)
|
||||
{
|
||||
message_t *request;
|
||||
child_sa_t *child_sa;
|
||||
notify_payload_t *notify;
|
||||
sa_payload_t *sa_payload;
|
||||
ts_payload_t *tsi_payload, *tsr_payload;
|
||||
nonce_payload_t *nonce_payload;
|
||||
policy_t *policy;
|
||||
randomizer_t *randomizer;
|
||||
linked_list_t *proposals;
|
||||
chunk_t nonce;
|
||||
linked_list_t *my_ts, *other_ts;
|
||||
state_t *old_state;
|
||||
|
||||
if (this->current_state->get_state(this->current_state) != IKE_SA_ESTABLISHED)
|
||||
{
|
||||
this->logger->log(this->logger, ERROR|LEVEL1,
|
||||
"Rekeying of an IKE_SA not in state IKE_SA_ESTABLISHED, aborting", reqid);
|
||||
return FAILED;
|
||||
}
|
||||
|
||||
child_sa = get_child_sa(this, reqid);
|
||||
if (child_sa == NULL)
|
||||
{
|
||||
this->logger->log(this->logger, ERROR|LEVEL1,
|
||||
"IKE_SA does not contain a CHILD_SA with reqid %d", reqid);
|
||||
return FAILED;
|
||||
}
|
||||
|
||||
build_message(this, CREATE_CHILD_SA, TRUE, &request);
|
||||
notify = notify_payload_create_from_protocol_and_type(
|
||||
child_sa->get_protocol(child_sa), REKEY_SA);
|
||||
notify->set_spi(notify, child_sa->get_spi(child_sa, TRUE));
|
||||
request->add_payload(request, (payload_t*)notify);
|
||||
|
||||
proposals = this->policy->get_proposals(this->policy);
|
||||
sa_payload = sa_payload_create_from_proposal_list(proposals);
|
||||
request->add_payload(request, (payload_t*)sa_payload);
|
||||
|
||||
nonce_payload = nonce_payload_create();
|
||||
if (this->randomizer->allocate_pseudo_random_bytes(this->randomizer,
|
||||
NONCE_SIZE, &nonce))
|
||||
{
|
||||
request->destroy(request);
|
||||
return FAILED;
|
||||
}
|
||||
nonce_payload->set_nonce(nonce_payload, nonce);
|
||||
request->add_payload(request, (payload_t*)nonce_payload);
|
||||
|
||||
my_ts = this->policy->get_my_traffic_selectors(this->policy);
|
||||
other_ts = this->policy->get_my_traffic_selectors(this->policy);
|
||||
tsi_payload = ts_payload_create_from_traffic_selectors(TRUE, my_ts);
|
||||
tsr_payload = ts_payload_create_from_traffic_selectors(FALSE, other_ts);
|
||||
request->add_payload(request, (payload_t*)tsi_payload);
|
||||
request->add_payload(request, (payload_t*)tsr_payload);
|
||||
|
||||
send_request(this, request);
|
||||
|
||||
old_state = this->current_state;
|
||||
set_new_state(this, (state_t*)create_child_sa_requested_create(&this->protected, nonce));
|
||||
old_state->destroy(old_state);
|
||||
|
||||
return SUCCESS;
|
||||
}
|
||||
|
||||
/**
|
||||
* Implementation of protected_ike_sa_t.reset_message_buffers.
|
||||
*/
|
||||
|
@ -1125,7 +1308,6 @@ static void destroy(private_ike_sa_t *this)
|
|||
this->ike_sa_id->destroy(this->ike_sa_id);
|
||||
this->randomizer->destroy(this->randomizer);
|
||||
this->current_state->destroy(this->current_state);
|
||||
|
||||
free(this);
|
||||
}
|
||||
|
||||
|
@ -1139,6 +1321,8 @@ ike_sa_t * ike_sa_create(ike_sa_id_t *ike_sa_id)
|
|||
/* Public functions */
|
||||
this->protected.public.process_message = (status_t(*)(ike_sa_t*, message_t*)) process_message;
|
||||
this->protected.public.initiate_connection = (status_t(*)(ike_sa_t*,connection_t*)) initiate_connection;
|
||||
this->protected.public.delete_child_sa = (status_t(*)(ike_sa_t*,u_int32_t)) delete_child_sa;
|
||||
this->protected.public.rekey_child_sa = (status_t(*)(ike_sa_t*,u_int32_t)) rekey_child_sa;
|
||||
this->protected.public.get_child_sa = (child_sa_t*(*)(ike_sa_t*,u_int32_t))get_child_sa;
|
||||
this->protected.public.get_id = (ike_sa_id_t*(*)(ike_sa_t*)) get_id;
|
||||
this->protected.public.get_my_host = (host_t*(*)(ike_sa_t*)) get_my_host;
|
||||
|
@ -1153,7 +1337,7 @@ ike_sa_t * ike_sa_create(ike_sa_id_t *ike_sa_id)
|
|||
this->protected.public.destroy = (void(*)(ike_sa_t*))destroy;
|
||||
|
||||
/* protected functions */
|
||||
this->protected.build_message = (void (*) (protected_ike_sa_t *, exchange_type_t , bool , message_t **)) build_message;
|
||||
this->protected.build_message = (void (*) (protected_ike_sa_t *, exchange_type_t,bool,message_t**)) build_message;
|
||||
this->protected.get_prf = (prf_t *(*) (protected_ike_sa_t *)) get_prf;
|
||||
this->protected.get_child_prf = (prf_t *(*) (protected_ike_sa_t *)) get_child_prf;
|
||||
this->protected.get_prf_auth_i = (prf_t *(*) (protected_ike_sa_t *)) get_prf_auth_i;
|
||||
|
|
|
@ -126,6 +126,34 @@ struct ike_sa_t {
|
|||
*/
|
||||
child_sa_t* (*get_child_sa) (ike_sa_t *this, u_int32_t reqid);
|
||||
|
||||
/**
|
||||
* @brief Close the CHILD SA with the specified reqid.
|
||||
*
|
||||
* Looks for a CHILD SA owned by this IKE_SA, deletes it and
|
||||
* notify's the remote peer about the delete. The associated
|
||||
* states and policies in the kernel get deleted, if they exist.
|
||||
*
|
||||
* @param this calling object
|
||||
* @param reqid reqid of the child SA, as used in the kernel
|
||||
* @return
|
||||
* - NOT_FOUND, if IKE_SA has no such CHILD_SA
|
||||
* - SUCCESS, if deleted and delete message sent
|
||||
*/
|
||||
status_t (*delete_child_sa) (ike_sa_t *this, u_int32_t reqid);
|
||||
|
||||
/**
|
||||
* @brief Rekey the CHILD SA with the specified reqid.
|
||||
*
|
||||
* Looks for a CHILD SA owned by this IKE_SA, and start the rekeing.
|
||||
*
|
||||
* @param this calling object
|
||||
* @param spi security parameter index identifying the SA to rekey
|
||||
* @return
|
||||
* - NOT_FOUND, if IKE_SA has no such CHILD_SA
|
||||
* - SUCCESS, if rekeying initiated
|
||||
*/
|
||||
status_t (*rekey_child_sa) (ike_sa_t *this, u_int32_t reqid);
|
||||
|
||||
/**
|
||||
* @brief Get local peer address of the IKE_SA.
|
||||
*
|
||||
|
|
|
@ -0,0 +1,112 @@
|
|||
/**
|
||||
* @file create_child_sa_requested.c
|
||||
*
|
||||
* @brief State after a CREATE_CHILD_SA request was sent.
|
||||
*
|
||||
*/
|
||||
|
||||
/*
|
||||
* Copyright (C) 2006 Martin Willi
|
||||
* Hochschule fuer Technik Rapperswil
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or modify it
|
||||
* under the terms of the GNU General Public License as published by the
|
||||
* Free Software Foundation; either version 2 of the License, or (at your
|
||||
* option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
|
||||
*
|
||||
* This program is distributed in the hope that it will be useful, but
|
||||
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
|
||||
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
|
||||
* for more details.
|
||||
*/
|
||||
|
||||
#include "create_child_sa_requested.h"
|
||||
|
||||
#include <sa/child_sa.h>
|
||||
#include <encoding/payloads/ts_payload.h>
|
||||
#include <encoding/payloads/sa_payload.h>
|
||||
#include <encoding/payloads/nonce_payload.h>
|
||||
#include <encoding/payloads/notify_payload.h>
|
||||
#include <utils/logger_manager.h>
|
||||
|
||||
|
||||
typedef struct private_create_child_sa_requested_t private_create_child_sa_requested_t;
|
||||
|
||||
/**
|
||||
* Private data of a create_child_sa_requested_t object.
|
||||
*/
|
||||
struct private_create_child_sa_requested_t {
|
||||
/**
|
||||
* Public interface of create_child_sa_requested_t.
|
||||
*/
|
||||
create_child_sa_requested_t public;
|
||||
|
||||
/**
|
||||
* Assigned IKE_SA.
|
||||
*/
|
||||
protected_ike_sa_t *ike_sa;
|
||||
|
||||
/**
|
||||
* nonce chosen by initiator
|
||||
*/
|
||||
chunk_t nonce_i;
|
||||
|
||||
/**
|
||||
* nonce chosen by the responder
|
||||
*/
|
||||
chunk_t nonce_r;
|
||||
|
||||
/**
|
||||
* Assigned logger.
|
||||
*
|
||||
* Is logger of ike_sa!
|
||||
*/
|
||||
logger_t *logger;
|
||||
};
|
||||
|
||||
/**
|
||||
* Implements state_t.get_state
|
||||
*/
|
||||
static status_t process_message(private_create_child_sa_requested_t *this, message_t *request)
|
||||
{
|
||||
this->logger->log(this->logger, ERROR, "NOT IMPLEMENTED");
|
||||
}
|
||||
|
||||
/**
|
||||
* Implements state_t.get_state
|
||||
*/
|
||||
static ike_sa_state_t get_state(private_create_child_sa_requested_t *this)
|
||||
{
|
||||
return CREATE_CHILD_SA_REQUESTED;
|
||||
}
|
||||
|
||||
/**
|
||||
* Implementation of state_t.destroy.
|
||||
*/
|
||||
static void destroy(private_create_child_sa_requested_t *this)
|
||||
{
|
||||
chunk_free(&this->nonce_i);
|
||||
chunk_free(&this->nonce_r);
|
||||
free(this);
|
||||
}
|
||||
|
||||
/*
|
||||
* Described in header.
|
||||
*/
|
||||
create_child_sa_requested_t *create_child_sa_requested_create(protected_ike_sa_t *ike_sa, chunk_t nonce_i)
|
||||
{
|
||||
private_create_child_sa_requested_t *this = malloc_thing(private_create_child_sa_requested_t);
|
||||
|
||||
/* interface functions */
|
||||
this->public.state_interface.process_message = (status_t (*) (state_t *,message_t *)) process_message;
|
||||
this->public.state_interface.get_state = (ike_sa_state_t (*) (state_t *)) get_state;
|
||||
this->public.state_interface.destroy = (void (*) (state_t *)) destroy;
|
||||
|
||||
/* private data */
|
||||
this->ike_sa = ike_sa;
|
||||
this->nonce_i = nonce_i;
|
||||
this->nonce_r = CHUNK_INITIALIZER;
|
||||
this->logger = logger_manager->get_logger(logger_manager, IKE_SA);
|
||||
|
||||
return &(this->public);
|
||||
}
|
|
@ -0,0 +1,57 @@
|
|||
/**
|
||||
* @file create_child_sa_requested.h
|
||||
*
|
||||
* @brief Interface of create_child_sa_requested_t.
|
||||
*
|
||||
*/
|
||||
|
||||
/*
|
||||
* Copyright (C) 2006 Martin Willi
|
||||
* Hochschule fuer Technik Rapperswil
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or modify it
|
||||
* under the terms of the GNU General Public License as published by the
|
||||
* Free Software Foundation; either version 2 of the License, or (at your
|
||||
* option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
|
||||
*
|
||||
* This program is distributed in the hope that it will be useful, but
|
||||
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
|
||||
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
|
||||
* for more details.
|
||||
*/
|
||||
|
||||
#ifndef CREATE_CHILD_SA_REQEUSTED_H_
|
||||
#define CREATE_CHILD_SA_REQEUSTED_H_
|
||||
|
||||
#include <sa/states/state.h>
|
||||
#include <sa/ike_sa.h>
|
||||
|
||||
typedef struct create_child_sa_requested_t create_child_sa_requested_t;
|
||||
|
||||
/**
|
||||
* @brief State after a CREATE_CHILD_SA request was sent.
|
||||
*
|
||||
* @b Constructors:
|
||||
* - create_child_sa_requested_create()
|
||||
*
|
||||
* @ingroup states
|
||||
*/
|
||||
struct create_child_sa_requested_t {
|
||||
/**
|
||||
* methods of the state_t interface
|
||||
*/
|
||||
state_t state_interface;
|
||||
};
|
||||
|
||||
/**
|
||||
* @brief Constructor of class create_child_sa_requested_t
|
||||
*
|
||||
* @param ike_sa assigned ike_sa
|
||||
* @param nonce nonce sent at initialization
|
||||
* @return created create_child_sa_requested_t object
|
||||
*
|
||||
* @ingroup states
|
||||
*/
|
||||
create_child_sa_requested_t *create_child_sa_requested_create(protected_ike_sa_t *ike_sa, chunk_t nonce_i);
|
||||
|
||||
#endif /*CREATE_CHILD_SA_REQEUSTED_H_*/
|
|
@ -48,138 +48,13 @@ struct private_ike_sa_established_t {
|
|||
logger_t *logger;
|
||||
};
|
||||
|
||||
/**
|
||||
* Process an informational request
|
||||
*/
|
||||
static status_t process_informational(private_ike_sa_established_t *this, message_t *request, message_t *response)
|
||||
{
|
||||
delete_payload_t *delete_request = NULL;
|
||||
iterator_t *payloads = request->get_payload_iterator(request);
|
||||
|
||||
while (payloads->has_next(payloads))
|
||||
{
|
||||
payload_t *payload;
|
||||
payloads->current(payloads, (void**)&payload);
|
||||
|
||||
switch (payload->get_type(payload))
|
||||
{
|
||||
case DELETE:
|
||||
{
|
||||
delete_request = (delete_payload_t *) payload;
|
||||
break;
|
||||
}
|
||||
default:
|
||||
{
|
||||
this->logger->log(this->logger, ERROR|LEVEL1, "Ignoring Payload %s (%d)",
|
||||
mapping_find(payload_type_m, payload->get_type(payload)),
|
||||
payload->get_type(payload));
|
||||
break;
|
||||
}
|
||||
}
|
||||
}
|
||||
/* iterator can be destroyed */
|
||||
payloads->destroy(payloads);
|
||||
|
||||
if (delete_request)
|
||||
{
|
||||
if (delete_request->get_protocol_id(delete_request) == PROTO_IKE)
|
||||
{
|
||||
this->logger->log(this->logger, CONTROL, "DELETE request for IKE_SA received");
|
||||
/* we reply with an empty informational message */
|
||||
return DESTROY_ME;
|
||||
}
|
||||
else
|
||||
{
|
||||
this->logger->log(this->logger, CONTROL, "DELETE request for CHILD_SA received. Ignored");
|
||||
response->destroy(response);
|
||||
return SUCCESS;
|
||||
}
|
||||
}
|
||||
return SUCCESS;
|
||||
}
|
||||
|
||||
/**
|
||||
* Implements state_t.get_state
|
||||
*/
|
||||
static status_t process_message(private_ike_sa_established_t *this, message_t *message)
|
||||
{
|
||||
delete_payload_t *delete_request = NULL;
|
||||
ike_sa_id_t *ike_sa_id;
|
||||
iterator_t *payloads;
|
||||
message_t *response;
|
||||
crypter_t *crypter;
|
||||
signer_t *signer;
|
||||
status_t status;
|
||||
|
||||
/* only requests are allowed, responses are handled in sub-states */
|
||||
if (!message->get_request(message))
|
||||
{
|
||||
this->logger->log(this->logger, ERROR | LEVEL1,
|
||||
"INFORMATIONAL responses not handled in state ike_sa_established");
|
||||
return FAILED;
|
||||
}
|
||||
|
||||
/* get signer for verification and crypter for decryption */
|
||||
ike_sa_id = this->ike_sa->public.get_id(&(this->ike_sa->public));
|
||||
if (!ike_sa_id->is_initiator(ike_sa_id))
|
||||
{
|
||||
crypter = this->ike_sa->get_crypter_initiator(this->ike_sa);
|
||||
signer = this->ike_sa->get_signer_initiator(this->ike_sa);
|
||||
}
|
||||
else
|
||||
{
|
||||
crypter = this->ike_sa->get_crypter_responder(this->ike_sa);
|
||||
signer = this->ike_sa->get_signer_responder(this->ike_sa);
|
||||
}
|
||||
|
||||
/* parse incoming message */
|
||||
status = message->parse_body(message, crypter, signer);
|
||||
if (status != SUCCESS)
|
||||
{
|
||||
this->logger->log(this->logger, AUDIT, "%s request decryption failed. Ignoring message",
|
||||
mapping_find(exchange_type_m, message->get_exchange_type(message)));
|
||||
return status;
|
||||
}
|
||||
|
||||
/* prepare a reply of the same type */
|
||||
this->ike_sa->build_message(this->ike_sa, message->get_exchange_type(message), FALSE, &response);
|
||||
|
||||
/* handle the different message types in their functions */
|
||||
switch (message->get_exchange_type(message))
|
||||
{
|
||||
case INFORMATIONAL:
|
||||
status = process_informational(this, message, response);
|
||||
break;
|
||||
default:
|
||||
this->logger->log(this->logger, ERROR | LEVEL1,
|
||||
"Message of type %s currently not supported in state ike_sa_established",
|
||||
mapping_find(exchange_type_m, message->get_exchange_type(message)));
|
||||
status = NOT_SUPPORTED;
|
||||
}
|
||||
|
||||
/* if we get a DESTROY_ME, we respond to follow strict request/reply scheme */
|
||||
if (status == SUCCESS || status == DESTROY_ME)
|
||||
{
|
||||
if (this->ike_sa->send_response(this->ike_sa, response) != SUCCESS)
|
||||
{
|
||||
/* something is seriously wrong, kill connection */
|
||||
this->logger->log(this->logger, AUDIT, "Unable to send reply. Deleting IKE_SA");
|
||||
response->destroy(response);
|
||||
status = DESTROY_ME;
|
||||
}
|
||||
else if (status == DESTROY_ME)
|
||||
{
|
||||
/* switch to delete_requested. This is not absolutly correct, but we
|
||||
* allow the clean destruction of an SA only in this state. */
|
||||
this->ike_sa->set_new_state(this->ike_sa, (state_t*)delete_requested_create(this));
|
||||
this->public.state_interface.destroy(&(this->public.state_interface));
|
||||
}
|
||||
}
|
||||
else
|
||||
{
|
||||
response->destroy(response);
|
||||
}
|
||||
return status;
|
||||
}
|
||||
|
||||
/**
|
||||
|
|
|
@ -572,7 +572,9 @@ static status_t build_sa_payload (private_ike_sa_init_requested_t *this, message
|
|||
/* build child sa */
|
||||
connection = this->ike_sa->get_connection(this->ike_sa);
|
||||
this->child_sa = child_sa_create(connection->get_my_host(connection),
|
||||
connection->get_other_host(connection));
|
||||
connection->get_other_host(connection),
|
||||
policy->get_soft_lifetime(policy),
|
||||
policy->get_hard_lifetime(policy));
|
||||
if (this->child_sa->alloc(this->child_sa, proposal_list) != SUCCESS)
|
||||
{
|
||||
this->logger->log(this->logger, AUDIT, "Could not install CHILD_SA! Deleting IKE_SA");
|
||||
|
|
|
@ -441,6 +441,7 @@ static status_t build_sa_payload(private_ike_sa_init_responded_t *this, sa_paylo
|
|||
prf_plus_t *prf_plus;
|
||||
status_t status;
|
||||
connection_t *connection;
|
||||
policy_t *policy;
|
||||
|
||||
/* prepare reply */
|
||||
sa_response = sa_payload_create();
|
||||
|
@ -474,9 +475,12 @@ static status_t build_sa_payload(private_ike_sa_init_responded_t *this, sa_paylo
|
|||
prf_plus = prf_plus_create(this->ike_sa->get_child_prf(this->ike_sa), seed);
|
||||
chunk_free(&seed);
|
||||
|
||||
policy = this->ike_sa->get_policy(this->ike_sa);
|
||||
connection = this->ike_sa->get_connection(this->ike_sa);
|
||||
this->child_sa = child_sa_create(connection->get_my_host(connection),
|
||||
connection->get_other_host(connection));
|
||||
connection->get_other_host(connection),
|
||||
policy->get_soft_lifetime(policy),
|
||||
policy->get_hard_lifetime(policy));
|
||||
|
||||
status = this->child_sa->add(this->child_sa, proposal, prf_plus);
|
||||
prf_plus->destroy(prf_plus);
|
||||
|
|
|
@ -159,14 +159,15 @@ status_t retry_initiate_connection (private_initiator_init_t *this, diffie_hellm
|
|||
message_t *message;
|
||||
status_t status;
|
||||
|
||||
if (dh_group == MODP_UNDEFINED)
|
||||
this->diffie_hellman = diffie_hellman_create(dh_group);
|
||||
if (this->diffie_hellman == NULL)
|
||||
{
|
||||
this->logger->log(this->logger, AUDIT, "No DH group acceptable for initialization, Aborting");
|
||||
this->logger->log(this->logger, AUDIT, "DH group %s (%d) not supported, aborting",
|
||||
mapping_find(diffie_hellman_group_m, dh_group), dh_group);
|
||||
return DESTROY_ME;
|
||||
}
|
||||
|
||||
connection = this->ike_sa->get_connection(this->ike_sa);
|
||||
this->diffie_hellman = diffie_hellman_create(dh_group);
|
||||
ike_sa_id = this->ike_sa->public.get_id(&(this->ike_sa->public));
|
||||
ike_sa_id->set_responder_spi(ike_sa_id,0);
|
||||
|
||||
|
@ -176,10 +177,8 @@ status_t retry_initiate_connection (private_initiator_init_t *this, diffie_hellm
|
|||
|
||||
/* build SA payload */
|
||||
this->build_sa_payload(this, message);
|
||||
|
||||
/* build KE payload */
|
||||
this->build_ke_payload(this, message);
|
||||
|
||||
/* build Nonce payload */
|
||||
status = this->build_nonce_payload(this, message);
|
||||
if (status != SUCCESS)
|
||||
|
@ -188,7 +187,6 @@ status_t retry_initiate_connection (private_initiator_init_t *this, diffie_hellm
|
|||
message->destroy(message);
|
||||
return DESTROY_ME;
|
||||
}
|
||||
|
||||
/* message can now be sent (must not be destroyed) */
|
||||
status = this->ike_sa->send_request(this->ike_sa, message);
|
||||
if (status != SUCCESS)
|
||||
|
@ -244,7 +242,7 @@ static void build_ke_payload(private_initiator_init_t *this, message_t *request)
|
|||
|
||||
this->logger->log(this->logger, CONTROL|LEVEL1, "Building KE payload");
|
||||
|
||||
this->diffie_hellman->get_my_public_value(this->diffie_hellman,&key_data);
|
||||
this->diffie_hellman->get_my_public_value(this->diffie_hellman, &key_data);
|
||||
dh_group = this->diffie_hellman->get_dh_group(this->diffie_hellman);
|
||||
|
||||
ke_payload = ke_payload_create();
|
||||
|
|
|
@ -343,7 +343,7 @@ static status_t build_sa_payload(private_responder_init_t *this,sa_payload_t *sa
|
|||
return DESTROY_ME;
|
||||
}
|
||||
/* get selected DH group to force policy, this is very restrictive!? */
|
||||
this->proposal->get_algorithm(this->proposal, PROTO_IKE, DIFFIE_HELLMAN_GROUP, &algo);
|
||||
this->proposal->get_algorithm(this->proposal, DIFFIE_HELLMAN_GROUP, &algo);
|
||||
this->dh_group_number = algo->algorithm;
|
||||
|
||||
this->logger->log(this->logger, CONTROL | LEVEL2, "SA Payload processed");
|
||||
|
|
|
@ -34,5 +34,6 @@ mapping_t ike_sa_state_m[] = {
|
|||
{IKE_AUTH_REQUESTED, "IKE_AUTH_REQUESTED"},
|
||||
{IKE_SA_ESTABLISHED, "IKE_SA_ESTABLISHED"},
|
||||
{DELETE_REQUESTED, "DELETE_REQUESTED"},
|
||||
{CREATE_CHILD_SA_REQUESTED, "CREATE_CHILD_SA_REQUESTED"},
|
||||
{MAPPING_END, NULL}
|
||||
};
|
||||
|
|
|
@ -34,6 +34,8 @@ typedef enum ike_sa_state_t ike_sa_state_t;
|
|||
*
|
||||
* @todo Support of more states (CHILD_SA_REQUESTED, etc...)
|
||||
*
|
||||
* @see state_t for state diagram
|
||||
*
|
||||
* @ingroup states
|
||||
*/
|
||||
enum ike_sa_state_t {
|
||||
|
@ -54,7 +56,7 @@ enum ike_sa_state_t {
|
|||
*
|
||||
* Implemented in class responder_init_t.
|
||||
*/
|
||||
RESPONDER_INIT = 2,
|
||||
RESPONDER_INIT,
|
||||
|
||||
/**
|
||||
* @brief A IKE_SA_INIT request was sent. In this state a reply of type IKE_SA_INIT is expected.
|
||||
|
@ -65,7 +67,7 @@ enum ike_sa_state_t {
|
|||
*
|
||||
* Implemented in class ike_sa_init_requested_t.
|
||||
*/
|
||||
IKE_SA_INIT_REQUESTED = 3,
|
||||
IKE_SA_INIT_REQUESTED,
|
||||
|
||||
/**
|
||||
* @brief A IKE_SA_INIT response was sent. In this state a request of type IKE_AUTH is expected.
|
||||
|
@ -74,7 +76,7 @@ enum ike_sa_state_t {
|
|||
*
|
||||
* Implemented in class ike_sa_init_responded_t.
|
||||
*/
|
||||
IKE_SA_INIT_RESPONDED = 4,
|
||||
IKE_SA_INIT_RESPONDED,
|
||||
|
||||
/**
|
||||
* @brief An IKE_AUTH request was sent after a successful IKE_SA_INIT-exchange.
|
||||
|
@ -83,7 +85,7 @@ enum ike_sa_state_t {
|
|||
*
|
||||
* Implemented in class ike_auth_requested_t.
|
||||
*/
|
||||
IKE_AUTH_REQUESTED = 5,
|
||||
IKE_AUTH_REQUESTED,
|
||||
|
||||
/**
|
||||
* @brief An IKE_AUTH exchange was successfuly handled either as initiator or responder.
|
||||
|
@ -92,7 +94,7 @@ enum ike_sa_state_t {
|
|||
*
|
||||
* Implemented in class ike_sa_established_t.
|
||||
*/
|
||||
IKE_SA_ESTABLISHED = 6,
|
||||
IKE_SA_ESTABLISHED,
|
||||
|
||||
/**
|
||||
* @brief An IKE SA has sent a DELETE IKE_SA to the other peer.
|
||||
|
@ -103,7 +105,9 @@ enum ike_sa_state_t {
|
|||
*
|
||||
* Implemented in class delete_requested.
|
||||
*/
|
||||
DELETE_REQUESTED = 7
|
||||
DELETE_REQUESTED,
|
||||
|
||||
CREATE_CHILD_SA_REQUESTED,
|
||||
};
|
||||
|
||||
|
||||
|
@ -118,22 +122,55 @@ typedef struct state_t state_t;
|
|||
/**
|
||||
* @brief This interface represents an IKE_SA state.
|
||||
*
|
||||
* A state_t object is responsible to handle incoming messages.
|
||||
* A state_t object is responsible to handle incoming messages. States
|
||||
* are exclusive, an IKE_SA is exactly in one state. They are used on IKE_SA
|
||||
* setup, as there is a strict scheme message exchange follow. This can be
|
||||
* mapped in a state machine. Every state is represented in a single class,
|
||||
* and the IKE_SA may switch these states by replacing the owned state.
|
||||
@verbatim
|
||||
initiator responder
|
||||
--------- ---------
|
||||
|
||||
¦ ¦
|
||||
V ¦
|
||||
+-----------------------+ ¦
|
||||
¦ initiator_init ¦ msg1 V
|
||||
+-----------------------+ -----> +-----------------------+
|
||||
¦ msg2 ¦ responder_init ¦
|
||||
V <----- +-----------------------+
|
||||
+-----------------------+ ¦
|
||||
¦ ike_sa_init_requested ¦ msg3 V
|
||||
+-----------------------+ -----> +-----------------------+
|
||||
¦ msg4 ¦ ike_sa_init_requested ¦
|
||||
V <----- +-----------------------+
|
||||
+-----------------------+ ¦
|
||||
¦ ike_auth_requested ¦ ¦
|
||||
+-----------------------+ ¦
|
||||
¦ ¦
|
||||
V V
|
||||
+---------------------------+
|
||||
¦ ike_sa_established ¦
|
||||
+---------------------------+
|
||||
¦
|
||||
V
|
||||
+---------------------------+
|
||||
¦ delete_requested ¦
|
||||
+---------------------------+
|
||||
|
||||
msg1 = IKE_SA_INIT request
|
||||
msg2 = IKE_SA_INIT response
|
||||
msg3 = IKE_AUTH request
|
||||
msg4 = IKE_AUTH response
|
||||
@endverbatim
|
||||
* Every state can be left by deleting the IKE_SA, except the state
|
||||
* ike_sa_established: it must switch to the delete_requested state first,
|
||||
* as the peer must be informed about the delete.
|
||||
*
|
||||
* It's the responsibility of the state_t object to parse the body of the message and to process each
|
||||
* payload.
|
||||
*
|
||||
* Needed Configurations and transform objects can be retrieved over an internal stored protected_ike_sa_t object
|
||||
* which is passed to a state_t object when creating it (see different constructors).
|
||||
*
|
||||
* The following states are supported and implemented:
|
||||
* - INITIATOR_INIT: implemented in initiator_init_t
|
||||
* - RESPONDER_INIT: implemented in responder_init_t
|
||||
* - IKE_SA_INIT_REQUESTED: implemented in ike_sa_init_requested_t
|
||||
* - IKE_SA_INIT_RESPONDED: implemented in ike_sa_init_responded_t
|
||||
* - IKE_AUTH_REQUESTED: implemented in ike_auth_requested_t
|
||||
* - IKE_SA_ESTABLISHED: implemented in ike_sa_established_t
|
||||
* - DELETE_REQUESTED: implemented in delete_requested_t
|
||||
* For the handling of message in a established IKE_SA, another concept is used.
|
||||
* The state-concept is good if a single state is possible. But in a established
|
||||
* IKE_SA, there is no strict message order, and if a window size > 1 is used,
|
||||
* multiple "states" would be possible. We call this transactions, better
|
||||
* descripted in the transaction_t interface.
|
||||
*
|
||||
* @b Constructors:
|
||||
* - initiator_init_create()
|
||||
|
@ -176,4 +213,4 @@ struct state_t {
|
|||
void (*destroy) (state_t *this);
|
||||
};
|
||||
|
||||
#endif /*STATE_H_*/
|
||||
#endif /* STATE_H_ */
|
||||
|
|
|
@ -29,7 +29,7 @@ $(top_srcdir)/src/charon/ke_payload.o $(top_srcdir)/src/charon/unknown_payload.o
|
|||
$(top_srcdir)/src/charon/delete_payload.o $(top_srcdir)/src/charon/sa_payload.o $(top_srcdir)/src/charon/certreq_payload.o $(top_srcdir)/src/charon/vendor_id_payload.o \
|
||||
$(top_srcdir)/src/charon/proposal_substructure.o $(top_srcdir)/src/charon/payload.o $(top_srcdir)/src/charon/message.o $(top_srcdir)/src/charon/generator.o \
|
||||
$(top_srcdir)/src/charon/parser.o $(top_srcdir)/src/charon/packet.o $(top_srcdir)/src/charon/socket.o $(top_srcdir)/src/charon/job.o \
|
||||
$(top_srcdir)/src/charon/delete_child_sa_job.o $(top_srcdir)/src/charon/rekey_child_sa_job.o \
|
||||
$(top_srcdir)/src/charon/delete_child_sa_job.o $(top_srcdir)/src/charon/rekey_child_sa_job.o $(top_srcdir)/src/charon/create_child_sa_requested.o \
|
||||
$(top_srcdir)/src/charon/delete_established_ike_sa_job.o $(top_srcdir)/src/charon/incoming_packet_job.o $(top_srcdir)/src/charon/delete_half_open_ike_sa_job.o \
|
||||
$(top_srcdir)/src/charon/retransmit_request_job.o $(top_srcdir)/src/charon/initiate_ike_sa_job.o $(top_srcdir)/src/charon/job_queue.o $(top_srcdir)/src/charon/event_queue.o \
|
||||
$(top_srcdir)/src/charon/send_queue.o $(top_srcdir)/src/charon/kernel_interface.o $(top_srcdir)/src/charon/thread_pool.o $(top_srcdir)/src/charon/scheduler.o \
|
||||
|
|
|
@ -49,14 +49,14 @@ void test_child_sa(protected_tester_t *tester)
|
|||
remote_me = host_create(AF_INET, "192.168.0.3", 0);
|
||||
remote_other = host_create(AF_INET, "192.168.0.4", 0);
|
||||
|
||||
local_sa = child_sa_create(local_me, local_other);
|
||||
remote_sa = child_sa_create(remote_me, remote_other);
|
||||
local_sa = child_sa_create(local_me, local_other, 5, 10);
|
||||
remote_sa = child_sa_create(remote_me, remote_other, 5, 10);
|
||||
|
||||
proposal1 = proposal_create(1);
|
||||
proposal1->add_algorithm(proposal1, PROTO_ESP, ENCRYPTION_ALGORITHM, ENCR_AES_CBC, 16);
|
||||
proposal1 = proposal_create(PROTO_ESP);
|
||||
proposal1->add_algorithm(proposal1, ENCRYPTION_ALGORITHM, ENCR_AES_CBC, 16);
|
||||
|
||||
proposal2 = proposal_create(2);
|
||||
proposal2->add_algorithm(proposal2, PROTO_AH, INTEGRITY_ALGORITHM, AUTH_HMAC_SHA1_96, 0);
|
||||
proposal2 = proposal_create(PROTO_AH);
|
||||
proposal2->add_algorithm(proposal2, INTEGRITY_ALGORITHM, AUTH_HMAC_SHA1_96, 0);
|
||||
|
||||
list = linked_list_create();
|
||||
list->insert_last(list, proposal1);
|
||||
|
|
|
@ -37,29 +37,29 @@ void test_connection(protected_tester_t *tester)
|
|||
proposal_t *prop1, *prop2, *prop3, *prop4;
|
||||
linked_list_t *list;
|
||||
|
||||
prop1 = proposal_create(1);
|
||||
prop1->add_algorithm(prop1, PROTO_IKE, ENCRYPTION_ALGORITHM, ENCR_AES_CBC, 20);
|
||||
prop1->add_algorithm(prop1, PROTO_IKE, INTEGRITY_ALGORITHM, AUTH_HMAC_SHA1_96, 20);
|
||||
prop1->add_algorithm(prop1, PROTO_IKE, PSEUDO_RANDOM_FUNCTION, PRF_HMAC_SHA1, 20);
|
||||
prop1->add_algorithm(prop1, PROTO_IKE, DIFFIE_HELLMAN_GROUP, MODP_2048_BIT, 0);
|
||||
prop1 = proposal_create(PROTO_IKE);
|
||||
prop1->add_algorithm(prop1, ENCRYPTION_ALGORITHM, ENCR_AES_CBC, 20);
|
||||
prop1->add_algorithm(prop1, INTEGRITY_ALGORITHM, AUTH_HMAC_SHA1_96, 20);
|
||||
prop1->add_algorithm(prop1, PSEUDO_RANDOM_FUNCTION, PRF_HMAC_SHA1, 20);
|
||||
prop1->add_algorithm(prop1, DIFFIE_HELLMAN_GROUP, MODP_2048_BIT, 0);
|
||||
|
||||
prop2 = proposal_create(2);
|
||||
prop2->add_algorithm(prop2, PROTO_IKE, ENCRYPTION_ALGORITHM, ENCR_AES_CBC, 20);
|
||||
prop2->add_algorithm(prop2, PROTO_IKE, INTEGRITY_ALGORITHM, AUTH_HMAC_SHA1_96, 20);
|
||||
prop2->add_algorithm(prop2, PROTO_IKE, PSEUDO_RANDOM_FUNCTION, PRF_HMAC_MD5, 20);
|
||||
prop2->add_algorithm(prop2, PROTO_IKE, DIFFIE_HELLMAN_GROUP, MODP_1024_BIT, 0);
|
||||
prop2 = proposal_create(PROTO_IKE);
|
||||
prop2->add_algorithm(prop2, ENCRYPTION_ALGORITHM, ENCR_AES_CBC, 20);
|
||||
prop2->add_algorithm(prop2, INTEGRITY_ALGORITHM, AUTH_HMAC_SHA1_96, 20);
|
||||
prop2->add_algorithm(prop2, PSEUDO_RANDOM_FUNCTION, PRF_HMAC_MD5, 20);
|
||||
prop2->add_algorithm(prop2, DIFFIE_HELLMAN_GROUP, MODP_1024_BIT, 0);
|
||||
|
||||
prop3 = proposal_create(3);
|
||||
prop3->add_algorithm(prop3, PROTO_IKE, ENCRYPTION_ALGORITHM, ENCR_DES, 20);
|
||||
prop3->add_algorithm(prop3, PROTO_IKE, INTEGRITY_ALGORITHM, AUTH_HMAC_SHA1_96, 20);
|
||||
prop3->add_algorithm(prop3, PROTO_IKE, PSEUDO_RANDOM_FUNCTION, PRF_HMAC_MD5, 20);
|
||||
prop3->add_algorithm(prop3, PROTO_IKE, DIFFIE_HELLMAN_GROUP, MODP_768_BIT, 0);
|
||||
prop3 = proposal_create(PROTO_IKE);
|
||||
prop3->add_algorithm(prop3, ENCRYPTION_ALGORITHM, ENCR_DES, 20);
|
||||
prop3->add_algorithm(prop3, INTEGRITY_ALGORITHM, AUTH_HMAC_SHA1_96, 20);
|
||||
prop3->add_algorithm(prop3, PSEUDO_RANDOM_FUNCTION, PRF_HMAC_MD5, 20);
|
||||
prop3->add_algorithm(prop3, DIFFIE_HELLMAN_GROUP, MODP_768_BIT, 0);
|
||||
|
||||
prop4 = proposal_create(4);
|
||||
prop4->add_algorithm(prop4, PROTO_IKE, ENCRYPTION_ALGORITHM, ENCR_3DES, 20);
|
||||
prop4->add_algorithm(prop4, PROTO_IKE, INTEGRITY_ALGORITHM, AUTH_HMAC_SHA1_96, 20);
|
||||
prop4->add_algorithm(prop4, PROTO_IKE, PSEUDO_RANDOM_FUNCTION, PRF_HMAC_TIGER, 20);
|
||||
prop4->add_algorithm(prop4, PROTO_IKE, DIFFIE_HELLMAN_GROUP, MODP_768_BIT, 0);
|
||||
prop4 = proposal_create(PROTO_IKE);
|
||||
prop4->add_algorithm(prop4, ENCRYPTION_ALGORITHM, ENCR_3DES, 20);
|
||||
prop4->add_algorithm(prop4, INTEGRITY_ALGORITHM, AUTH_HMAC_SHA1_96, 20);
|
||||
prop4->add_algorithm(prop4, PSEUDO_RANDOM_FUNCTION, PRF_HMAC_TIGER, 20);
|
||||
prop4->add_algorithm(prop4, DIFFIE_HELLMAN_GROUP, MODP_768_BIT, 0);
|
||||
|
||||
connection->add_proposal(connection, prop1);
|
||||
connection->add_proposal(connection, prop2);
|
||||
|
|
|
@ -568,17 +568,17 @@ void test_generator_with_sa_payload(protected_tester_t *tester)
|
|||
tester->assert_true(tester,(generator != NULL), "generator create check");
|
||||
|
||||
|
||||
proposal1 = proposal_create(1);
|
||||
proposal1->add_algorithm(proposal1, PROTO_IKE, ENCRYPTION_ALGORITHM, 1, 20);
|
||||
proposal1->add_algorithm(proposal1, PROTO_IKE, PSEUDO_RANDOM_FUNCTION, 2, 22);
|
||||
proposal1->add_algorithm(proposal1, PROTO_IKE, INTEGRITY_ALGORITHM, 3, 24);
|
||||
proposal1->add_algorithm(proposal1, PROTO_IKE, DIFFIE_HELLMAN_GROUP, 4, 0);
|
||||
proposal1 = proposal_create(PROTO_IKE);
|
||||
proposal1->add_algorithm(proposal1, ENCRYPTION_ALGORITHM, 1, 20);
|
||||
proposal1->add_algorithm(proposal1, PSEUDO_RANDOM_FUNCTION, 2, 22);
|
||||
proposal1->add_algorithm(proposal1, INTEGRITY_ALGORITHM, 3, 24);
|
||||
proposal1->add_algorithm(proposal1, DIFFIE_HELLMAN_GROUP, 4, 0);
|
||||
|
||||
proposal2 = proposal_create(2);
|
||||
proposal2->add_algorithm(proposal2, PROTO_IKE, ENCRYPTION_ALGORITHM, 5, 26);
|
||||
proposal2->add_algorithm(proposal2, PROTO_IKE, PSEUDO_RANDOM_FUNCTION, 6, 28);
|
||||
proposal2->add_algorithm(proposal2, PROTO_IKE, INTEGRITY_ALGORITHM, 7, 30);
|
||||
proposal2->add_algorithm(proposal2, PROTO_IKE, DIFFIE_HELLMAN_GROUP, 8, 0);
|
||||
proposal2 = proposal_create(PROTO_IKE);
|
||||
proposal2->add_algorithm(proposal2, ENCRYPTION_ALGORITHM, 5, 26);
|
||||
proposal2->add_algorithm(proposal2, PSEUDO_RANDOM_FUNCTION, 6, 28);
|
||||
proposal2->add_algorithm(proposal2, INTEGRITY_ALGORITHM, 7, 30);
|
||||
proposal2->add_algorithm(proposal2, DIFFIE_HELLMAN_GROUP, 8, 0);
|
||||
|
||||
list = linked_list_create();
|
||||
list->insert_last(list, (void*)proposal1);
|
||||
|
@ -631,120 +631,6 @@ void test_generator_with_sa_payload(protected_tester_t *tester)
|
|||
proposal2->destroy(proposal2);
|
||||
chunk_free(&generated_data);
|
||||
generator->destroy(generator);
|
||||
|
||||
|
||||
/* --------------------------- */
|
||||
/* test with automatic created child proposals */
|
||||
|
||||
generator = generator_create();
|
||||
tester->assert_true(tester,(generator != NULL), "generator create check");
|
||||
|
||||
|
||||
proposal1 = proposal_create(1);
|
||||
|
||||
proposal1->add_algorithm(proposal1, PROTO_AH, INTEGRITY_ALGORITHM, AUTH_HMAC_MD5_96, 20);
|
||||
proposal1->add_algorithm(proposal1, PROTO_AH, DIFFIE_HELLMAN_GROUP, MODP_2048_BIT, 0);
|
||||
proposal1->add_algorithm(proposal1, PROTO_AH, EXTENDED_SEQUENCE_NUMBERS, EXT_SEQ_NUMBERS, 0);
|
||||
proposal1->set_spi(proposal1, PROTO_AH, 0x01010101l);
|
||||
|
||||
proposal1->add_algorithm(proposal1, PROTO_ESP, ENCRYPTION_ALGORITHM, ENCR_AES_CBC, 20);
|
||||
proposal1->add_algorithm(proposal1, PROTO_ESP, DIFFIE_HELLMAN_GROUP, MODP_1024_BIT, 0);
|
||||
proposal1->set_spi(proposal1, PROTO_ESP, 0x02020202);
|
||||
|
||||
|
||||
proposal2->add_algorithm(proposal2, PROTO_AH, INTEGRITY_ALGORITHM, AUTH_HMAC_MD5_96, 20);
|
||||
proposal2->add_algorithm(proposal2, PROTO_AH, DIFFIE_HELLMAN_GROUP, MODP_2048_BIT, 0);
|
||||
proposal2->add_algorithm(proposal2, PROTO_AH, EXTENDED_SEQUENCE_NUMBERS, EXT_SEQ_NUMBERS, 0);
|
||||
proposal2->set_spi(proposal2, PROTO_AH, 0x01010101);
|
||||
|
||||
proposal2->add_algorithm(proposal2, PROTO_ESP, ENCRYPTION_ALGORITHM, ENCR_AES_CBC, 32);
|
||||
proposal2->add_algorithm(proposal2, PROTO_ESP, INTEGRITY_ALGORITHM, AUTH_HMAC_MD5_96, 20);
|
||||
proposal2->add_algorithm(proposal2, PROTO_ESP, DIFFIE_HELLMAN_GROUP, MODP_1024_BIT, 0);
|
||||
proposal2->set_spi(proposal2, PROTO_ESP, 0x02020202);
|
||||
|
||||
list->insert_last(list, (void*)proposal1);
|
||||
list->insert_last(list, (void*)proposal2);
|
||||
|
||||
sa_payload = sa_payload_create_from_proposal_list(list);
|
||||
tester->assert_true(tester,(sa_payload != NULL), "sa_payload create check");
|
||||
|
||||
generator->generate_payload(generator,(payload_t *)sa_payload);
|
||||
generator->write_to_chunk(generator,&generated_data);
|
||||
logger->log_chunk(logger,RAW,"generated",generated_data);
|
||||
|
||||
u_int8_t expected_generation3[] = {
|
||||
0x00,0x00,0x00,0xA0, /* payload header*/
|
||||
|
||||
/* suite 1 */
|
||||
0x02,0x00,0x00,0x28, /* a proposal */
|
||||
0x01,0x02,0x04,0x03,
|
||||
0x01,0x01,0x01,0x01,
|
||||
0x03,0x00,0x00,0x0C, /* transform 1 */
|
||||
0x03,0x00,0x00,0x01,
|
||||
0x80,0x0E,0x00,0x14, /* keylength attribute with 20 bytes length */
|
||||
|
||||
0x03,0x00,0x00,0x08, /* transform 2 */
|
||||
0x04,0x00,0x00,0x0E,
|
||||
|
||||
0x00,0x00,0x00,0x08, /* transform 3 */
|
||||
0x05,0x00,0x00,0x01,
|
||||
|
||||
|
||||
0x02,0x00,0x00,0x20, /* a proposal */
|
||||
0x01,0x03,0x04,0x02,
|
||||
0x02,0x02,0x02,0x02,
|
||||
|
||||
0x03,0x00,0x00,0x0C, /* transform 1 */
|
||||
0x01,0x00,0x00,0x0C,
|
||||
0x80,0x0E,0x00,0x20, /* keylength attribute with 32 bytes length */
|
||||
|
||||
0x00,0x00,0x00,0x08, /* transform 2 */
|
||||
0x04,0x00,0x00,0x02,
|
||||
|
||||
/* suite 2 */
|
||||
0x02,0x00,0x00,0x28, /* a proposal */
|
||||
0x02,0x02,0x04,0x03,
|
||||
0x01,0x01,0x01,0x01,
|
||||
0x03,0x00,0x00,0x0C, /* transform 1 */
|
||||
0x03,0x00,0x00,0x01,
|
||||
0x80,0x0E,0x00,0x14, /* keylength attribute with 20 bytes length */
|
||||
|
||||
0x03,0x00,0x00,0x08, /* transform 2 */
|
||||
0x04,0x00,0x00,0x0E,
|
||||
|
||||
0x00,0x00,0x00,0x08, /* transform 3 */
|
||||
0x05,0x00,0x00,0x01,
|
||||
|
||||
|
||||
0x00,0x00,0x00,0x2C, /* a proposal */
|
||||
0x02,0x03,0x04,0x03,
|
||||
0x02,0x02,0x02,0x02,
|
||||
|
||||
0x03,0x00,0x00,0x0C, /* transform 1 */
|
||||
0x01,0x00,0x00,0x0C,
|
||||
0x80,0x0E,0x00,0x20, /* keylength attribute with 32 bytes length */
|
||||
|
||||
0x03,0x00,0x00,0x0C, /* transform 2 */
|
||||
0x03,0x00,0x00,0x01,
|
||||
0x80,0x0E,0x00,0x14, /* keylength attribute with 20 bytes length */
|
||||
|
||||
0x00,0x00,0x00,0x08, /* transform 3 */
|
||||
0x04,0x00,0x00,0x02,
|
||||
|
||||
};
|
||||
|
||||
|
||||
logger->log_bytes(logger,RAW,"expected",expected_generation3,sizeof(expected_generation3));
|
||||
|
||||
tester->assert_true(tester,(memcmp(expected_generation3,generated_data.ptr,sizeof(expected_generation3)) == 0), "compare generated data");
|
||||
|
||||
sa_payload->destroy(sa_payload);
|
||||
proposal1->destroy(proposal1);
|
||||
proposal2->destroy(proposal2);
|
||||
list->destroy(list);
|
||||
chunk_free(&generated_data);
|
||||
generator->destroy(generator);
|
||||
|
||||
}
|
||||
|
||||
/*
|
||||
|
@ -819,16 +705,12 @@ void test_generator_with_notify_payload(protected_tester_t *tester)
|
|||
|
||||
notify_payload = notify_payload_create();
|
||||
|
||||
|
||||
spi.ptr = "12345";
|
||||
spi.len = strlen(spi.ptr);
|
||||
|
||||
notification_data.ptr = "67890";
|
||||
notification_data.len = strlen(notification_data.ptr);
|
||||
|
||||
notify_payload->set_protocol_id(notify_payload,255);
|
||||
notify_payload->set_notify_message_type(notify_payload,63333); /* Hex F765 */
|
||||
notify_payload->set_spi(notify_payload,spi);
|
||||
notify_payload->set_spi(notify_payload, 0x3132333435);
|
||||
notify_payload->set_notification_data(notify_payload,notification_data);
|
||||
|
||||
generator->generate_payload(generator,(payload_t *)notify_payload);
|
||||
|
|
|
@ -532,6 +532,7 @@ void test_parser_with_notify_payload(protected_tester_t *tester)
|
|||
notify_payload_t *notify_payload;
|
||||
status_t status;
|
||||
chunk_t notify_chunk, result;
|
||||
u_int32_t spi;
|
||||
|
||||
u_int8_t notify_bytes[] = {
|
||||
0x00,0x00,0x00,0x1C, /* payload header */
|
||||
|
@ -559,8 +560,8 @@ void test_parser_with_notify_payload(protected_tester_t *tester)
|
|||
tester->assert_true(tester,(notify_payload->get_protocol_id(notify_payload) == 3), "Protocol id");
|
||||
tester->assert_true(tester,(notify_payload->get_notify_message_type(notify_payload) == 1), "notify message type");
|
||||
|
||||
result = notify_payload->get_spi(notify_payload);
|
||||
tester->assert_false(tester,(memcmp(notify_bytes + 8, result.ptr, result.len)), "parsed spi");
|
||||
spi = notify_payload->get_spi(notify_payload);
|
||||
tester->assert_false(tester, spi == 0x01020303, "parsed spi");
|
||||
|
||||
result = notify_payload->get_notification_data(notify_payload);
|
||||
tester->assert_false(tester,(memcmp(notify_bytes + 12, result.ptr, result.len)), "parsed notification data");
|
||||
|
|
|
@ -34,98 +34,90 @@
|
|||
*/
|
||||
void test_policy(protected_tester_t *tester)
|
||||
{
|
||||
policy_t *policy;
|
||||
// traffic_selector_t *ts;
|
||||
// linked_list_t *ts_stored, *ts_supplied, *ts_selected, *ts_expected;
|
||||
proposal_t *proposal1, *proposal2, *proposal3, *proposal_sel;
|
||||
linked_list_t *proposals_list;
|
||||
iterator_t *iterator;
|
||||
logger_t *logger;
|
||||
identification_t *alice, *bob;
|
||||
|
||||
logger = logger_manager->get_logger(logger_manager, TESTER);
|
||||
logger->disable_level(logger, FULL);
|
||||
|
||||
alice = identification_create_from_string("152.96.193.131");
|
||||
bob = identification_create_from_string("152.96.193.130");
|
||||
policy = policy_create("test", alice, bob);
|
||||
|
||||
tester->assert_true(tester, (policy != NULL), "policy construction");
|
||||
|
||||
|
||||
/*
|
||||
* test proposal getting and selection
|
||||
*
|
||||
*/
|
||||
|
||||
/* esp only prop */
|
||||
proposal1 = proposal_create(1);
|
||||
proposal1->add_algorithm(proposal1, PROTO_ESP, ENCRYPTION_ALGORITHM, ENCR_AES_CBC, 16);
|
||||
|
||||
/* ah only prop */
|
||||
proposal2 = proposal_create(2);
|
||||
proposal2->add_algorithm(proposal2, PROTO_AH, INTEGRITY_ALGORITHM, AUTH_HMAC_SHA1_96, 20);
|
||||
|
||||
/* ah and esp prop */
|
||||
proposal3 = proposal_create(3);
|
||||
proposal3->add_algorithm(proposal3, PROTO_ESP, ENCRYPTION_ALGORITHM, ENCR_3DES, 16);
|
||||
proposal3->add_algorithm(proposal3, PROTO_AH, INTEGRITY_ALGORITHM, AUTH_HMAC_MD5_96, 20);
|
||||
|
||||
|
||||
policy->add_proposal(policy, proposal1);
|
||||
policy->add_proposal(policy, proposal2);
|
||||
policy->add_proposal(policy, proposal3);
|
||||
|
||||
|
||||
proposals_list = policy->get_proposals(policy);
|
||||
tester->assert_true(tester, (proposals_list->get_count(proposals_list) == 3), "proposal count");
|
||||
|
||||
|
||||
proposals_list = linked_list_create();
|
||||
proposal1 = proposal_create(1);
|
||||
proposal1->add_algorithm(proposal1, PROTO_ESP, ENCRYPTION_ALGORITHM, ENCR_AES_CBC, 32);
|
||||
proposal2 = proposal_create(2);
|
||||
proposal2->add_algorithm(proposal2, PROTO_ESP, ENCRYPTION_ALGORITHM, ENCR_AES_CBC, 16);
|
||||
proposal2->add_algorithm(proposal2, PROTO_ESP, ENCRYPTION_ALGORITHM, ENCR_3DES, 16);
|
||||
proposal2->add_algorithm(proposal2, PROTO_ESP, ENCRYPTION_ALGORITHM, ENCR_BLOWFISH, 0);
|
||||
proposal2->add_algorithm(proposal2, PROTO_AH, INTEGRITY_ALGORITHM, AUTH_HMAC_SHA1_96, 20);
|
||||
proposal2->add_algorithm(proposal2, PROTO_AH, INTEGRITY_ALGORITHM, AUTH_HMAC_MD5_96, 20);
|
||||
|
||||
proposals_list->insert_last(proposals_list, proposal1);
|
||||
proposals_list->insert_last(proposals_list, proposal2);
|
||||
|
||||
proposal_sel = policy->select_proposal(policy, proposals_list);
|
||||
tester->assert_false(tester, proposal_sel == NULL, "proposal select");
|
||||
/* check ESP encryption algo */
|
||||
iterator = proposal_sel->create_algorithm_iterator(proposal_sel, PROTO_ESP, ENCRYPTION_ALGORITHM);
|
||||
tester->assert_false(tester, iterator == NULL, "algorithm select ESP");
|
||||
while (iterator->has_next(iterator))
|
||||
{
|
||||
algorithm_t *algo;
|
||||
iterator->current(iterator, (void**)&algo);
|
||||
tester->assert_true(tester, algo->algorithm == ENCR_3DES, "ESP encryption algo");
|
||||
tester->assert_true(tester, algo->key_size == 16, "ESP encryption keysize");
|
||||
}
|
||||
iterator->destroy(iterator);
|
||||
iterator = proposal_sel->create_algorithm_iterator(proposal_sel, PROTO_AH, INTEGRITY_ALGORITHM);
|
||||
/* check AH integrity algo */
|
||||
tester->assert_false(tester, iterator == NULL, "algorithm select AH");
|
||||
while (iterator->has_next(iterator))
|
||||
{
|
||||
algorithm_t *algo;
|
||||
iterator->current(iterator, (void**)&algo);
|
||||
tester->assert_true(tester, algo->algorithm == AUTH_HMAC_MD5_96, "ESP encryption algo");
|
||||
tester->assert_true(tester, algo->key_size == 20, "ESP encryption keysize");
|
||||
}
|
||||
iterator->destroy(iterator);
|
||||
|
||||
proposal_sel->destroy(proposal_sel);
|
||||
|
||||
/* cleanup */
|
||||
proposal1->destroy(proposal1);
|
||||
proposal1->destroy(proposal2);
|
||||
proposals_list->destroy(proposals_list);
|
||||
|
||||
// policy_t *policy;
|
||||
// // traffic_selector_t *ts;
|
||||
// // linked_list_t *ts_stored, *ts_supplied, *ts_selected, *ts_expected;
|
||||
// proposal_t *proposal1, *proposal2, *proposal3, *proposal_sel;
|
||||
// linked_list_t *proposals_list;
|
||||
// iterator_t *iterator;
|
||||
// logger_t *logger;
|
||||
// identification_t *alice, *bob;
|
||||
//
|
||||
// logger = logger_manager->get_logger(logger_manager, TESTER);
|
||||
// logger->disable_level(logger, FULL);
|
||||
//
|
||||
// alice = identification_create_from_string("152.96.193.131");
|
||||
// bob = identification_create_from_string("152.96.193.130");
|
||||
// policy = policy_create("test", alice, bob);
|
||||
//
|
||||
// tester->assert_true(tester, (policy != NULL), "policy construction");
|
||||
//
|
||||
//
|
||||
// /*
|
||||
// * test proposal getting and selection
|
||||
// *
|
||||
// */
|
||||
//
|
||||
// /* esp only prop */
|
||||
// proposal1 = proposal_create(PROTO_ESP);
|
||||
// proposal1->add_algorithm(proposal1, ENCRYPTION_ALGORITHM, ENCR_AES_CBC, 16);
|
||||
//
|
||||
// /* ah only prop */
|
||||
// proposal2 = proposal_create(PROTO_AH);
|
||||
// proposal2->add_algorithm(proposal2, INTEGRITY_ALGORITHM, AUTH_HMAC_SHA1_96, 20);
|
||||
//
|
||||
// policy->add_proposal(policy, proposal1);
|
||||
// policy->add_proposal(policy, proposal2);
|
||||
//
|
||||
// proposals_list = policy->get_proposals(policy);
|
||||
// tester->assert_true(tester, (proposals_list->get_count(proposals_list) == 2), "proposal count");
|
||||
//
|
||||
//
|
||||
// proposals_list = linked_list_create();
|
||||
// proposal1 = proposal_create(1);
|
||||
// proposal1->add_algorithm(proposal1, PROTO_ESP, ENCRYPTION_ALGORITHM, ENCR_AES_CBC, 32);
|
||||
// proposal2 = proposal_create(2);
|
||||
// proposal2->add_algorithm(proposal2, PROTO_ESP, ENCRYPTION_ALGORITHM, ENCR_AES_CBC, 16);
|
||||
// proposal2->add_algorithm(proposal2, PROTO_ESP, ENCRYPTION_ALGORITHM, ENCR_3DES, 16);
|
||||
// proposal2->add_algorithm(proposal2, PROTO_ESP, ENCRYPTION_ALGORITHM, ENCR_BLOWFISH, 0);
|
||||
// proposal2->add_algorithm(proposal2, PROTO_AH, INTEGRITY_ALGORITHM, AUTH_HMAC_SHA1_96, 20);
|
||||
// proposal2->add_algorithm(proposal2, PROTO_AH, INTEGRITY_ALGORITHM, AUTH_HMAC_MD5_96, 20);
|
||||
//
|
||||
// proposals_list->insert_last(proposals_list, proposal1);
|
||||
// proposals_list->insert_last(proposals_list, proposal2);
|
||||
//
|
||||
// proposal_sel = policy->select_proposal(policy, proposals_list);
|
||||
// tester->assert_false(tester, proposal_sel == NULL, "proposal select");
|
||||
// /* check ESP encryption algo */
|
||||
// iterator = proposal_sel->create_algorithm_iterator(proposal_sel, PROTO_ESP, ENCRYPTION_ALGORITHM);
|
||||
// tester->assert_false(tester, iterator == NULL, "algorithm select ESP");
|
||||
// while (iterator->has_next(iterator))
|
||||
// {
|
||||
// algorithm_t *algo;
|
||||
// iterator->current(iterator, (void**)&algo);
|
||||
// tester->assert_true(tester, algo->algorithm == ENCR_3DES, "ESP encryption algo");
|
||||
// tester->assert_true(tester, algo->key_size == 16, "ESP encryption keysize");
|
||||
// }
|
||||
// iterator->destroy(iterator);
|
||||
// iterator = proposal_sel->create_algorithm_iterator(proposal_sel, PROTO_AH, INTEGRITY_ALGORITHM);
|
||||
// /* check AH integrity algo */
|
||||
// tester->assert_false(tester, iterator == NULL, "algorithm select AH");
|
||||
// while (iterator->has_next(iterator))
|
||||
// {
|
||||
// algorithm_t *algo;
|
||||
// iterator->current(iterator, (void**)&algo);
|
||||
// tester->assert_true(tester, algo->algorithm == AUTH_HMAC_MD5_96, "ESP encryption algo");
|
||||
// tester->assert_true(tester, algo->key_size == 20, "ESP encryption keysize");
|
||||
// }
|
||||
// iterator->destroy(iterator);
|
||||
//
|
||||
// proposal_sel->destroy(proposal_sel);
|
||||
//
|
||||
// /* cleanup */
|
||||
// proposal1->destroy(proposal1);
|
||||
// proposal1->destroy(proposal2);
|
||||
// proposals_list->destroy(proposals_list);
|
||||
//
|
||||
// /*
|
||||
// * test traffic selection getting and matching
|
||||
// *
|
||||
|
@ -241,6 +233,6 @@ void test_policy(protected_tester_t *tester)
|
|||
// ts_request[2]->destroy(ts_request[2]);
|
||||
// ts_reference[2]->destroy(ts_reference[2]);
|
||||
// ts_request[3]->destroy(ts_request[3]);
|
||||
|
||||
policy->destroy(policy);
|
||||
/*
|
||||
policy->destroy(policy);*/
|
||||
}
|
||||
|
|
|
@ -37,58 +37,46 @@ void test_proposal(protected_tester_t *tester)
|
|||
algorithm_t *algo;
|
||||
bool result;
|
||||
|
||||
proposal1 = proposal_create(1);
|
||||
proposal1->add_algorithm(proposal1, PROTO_ESP, ENCRYPTION_ALGORITHM, ENCR_3DES, 0);
|
||||
proposal1->add_algorithm(proposal1, PROTO_ESP, ENCRYPTION_ALGORITHM, ENCR_AES_CBC, 32);
|
||||
proposal1->add_algorithm(proposal1, PROTO_ESP, ENCRYPTION_ALGORITHM, ENCR_AES_CBC, 16);
|
||||
proposal1->add_algorithm(proposal1, PROTO_ESP, ENCRYPTION_ALGORITHM, ENCR_BLOWFISH, 0);
|
||||
proposal1->add_algorithm(proposal1, PROTO_ESP, INTEGRITY_ALGORITHM, AUTH_HMAC_SHA1_96, 20);
|
||||
proposal1->add_algorithm(proposal1, PROTO_ESP, INTEGRITY_ALGORITHM, AUTH_HMAC_MD5_96, 20);
|
||||
proposal1->add_algorithm(proposal1, PROTO_AH, DIFFIE_HELLMAN_GROUP, MODP_1024_BIT, 0);
|
||||
proposal1->add_algorithm(proposal1, PROTO_AH, DIFFIE_HELLMAN_GROUP, MODP_2048_BIT, 0);
|
||||
proposal1 = proposal_create(PROTO_ESP);
|
||||
proposal1->add_algorithm(proposal1, ENCRYPTION_ALGORITHM, ENCR_3DES, 0);
|
||||
proposal1->add_algorithm(proposal1, ENCRYPTION_ALGORITHM, ENCR_AES_CBC, 32);
|
||||
proposal1->add_algorithm(proposal1, ENCRYPTION_ALGORITHM, ENCR_AES_CBC, 16);
|
||||
proposal1->add_algorithm(proposal1, ENCRYPTION_ALGORITHM, ENCR_BLOWFISH, 0);
|
||||
proposal1->add_algorithm(proposal1, INTEGRITY_ALGORITHM, AUTH_HMAC_SHA1_96, 0);
|
||||
proposal1->add_algorithm(proposal1, INTEGRITY_ALGORITHM, AUTH_HMAC_MD5_96, 0);
|
||||
proposal1->add_algorithm(proposal1, DIFFIE_HELLMAN_GROUP, MODP_1024_BIT, 0);
|
||||
proposal1->add_algorithm(proposal1, DIFFIE_HELLMAN_GROUP, MODP_2048_BIT, 0);
|
||||
|
||||
proposal2 = proposal_create(2);
|
||||
proposal2->add_algorithm(proposal2, PROTO_ESP, ENCRYPTION_ALGORITHM, ENCR_3IDEA, 0);
|
||||
proposal2->add_algorithm(proposal2, PROTO_ESP, ENCRYPTION_ALGORITHM, ENCR_AES_CBC, 16);
|
||||
proposal2->add_algorithm(proposal2, PROTO_ESP, INTEGRITY_ALGORITHM, AUTH_HMAC_MD5_96, 20);
|
||||
proposal1->add_algorithm(proposal2, PROTO_AH, DIFFIE_HELLMAN_GROUP, MODP_1024_BIT, 0);
|
||||
proposal2 = proposal_create(PROTO_ESP);
|
||||
proposal2->add_algorithm(proposal2, ENCRYPTION_ALGORITHM, ENCR_3IDEA, 0);
|
||||
proposal2->add_algorithm(proposal2, ENCRYPTION_ALGORITHM, ENCR_AES_CBC, 0);
|
||||
proposal2->add_algorithm(proposal2, INTEGRITY_ALGORITHM, AUTH_HMAC_MD5_96, 0);
|
||||
|
||||
/* ah and esp prop */
|
||||
proposal3 = proposal1->select(proposal1, proposal2);
|
||||
tester->assert_false(tester, proposal3 == NULL, "proposal select");
|
||||
if (proposal3)
|
||||
{
|
||||
result = proposal3->get_algorithm(proposal3, PROTO_ESP, ENCRYPTION_ALGORITHM, &algo);
|
||||
result = proposal3->get_algorithm(proposal3, ENCRYPTION_ALGORITHM, &algo);
|
||||
tester->assert_true(tester, result, "encryption algo select");
|
||||
tester->assert_true(tester, algo->algorithm == ENCR_AES_CBC, "encryption algo");
|
||||
tester->assert_true(tester, algo->key_size == 16, "encryption keylen");
|
||||
|
||||
|
||||
result = proposal3->get_algorithm(proposal3, PROTO_ESP, INTEGRITY_ALGORITHM, &algo);
|
||||
result = proposal3->get_algorithm(proposal3, INTEGRITY_ALGORITHM, &algo);
|
||||
tester->assert_true(tester, result, "integrity algo select");
|
||||
tester->assert_true(tester, algo->algorithm == AUTH_HMAC_MD5_96, "integrity algo");
|
||||
tester->assert_true(tester, algo->key_size == 20, "integrity keylen");
|
||||
tester->assert_true(tester, algo->key_size == 16, "integrity keylen");
|
||||
|
||||
iterator = proposal3->create_algorithm_iterator(proposal3, PROTO_ESP, INTEGRITY_ALGORITHM);
|
||||
iterator = proposal3->create_algorithm_iterator(proposal3, INTEGRITY_ALGORITHM);
|
||||
tester->assert_false(tester, iterator == NULL, "integrity algo select");
|
||||
while(iterator->has_next(iterator))
|
||||
{
|
||||
iterator->current(iterator, (void**)&algo);
|
||||
tester->assert_true(tester, algo->algorithm == AUTH_HMAC_MD5_96, "integrity algo");
|
||||
tester->assert_true(tester, algo->key_size == 20, "integrity keylen");
|
||||
tester->assert_true(tester, algo->key_size == 16, "integrity keylen");
|
||||
}
|
||||
iterator->destroy(iterator);
|
||||
|
||||
iterator = proposal3->create_algorithm_iterator(proposal3, PROTO_AH, DIFFIE_HELLMAN_GROUP );
|
||||
tester->assert_false(tester, iterator == NULL, "dh group algo select");
|
||||
while(iterator->has_next(iterator))
|
||||
{
|
||||
iterator->current(iterator, (void**)&algo);
|
||||
tester->assert_true(tester, algo->algorithm == MODP_1024_BIT, "dh group algo");
|
||||
tester->assert_true(tester, algo->key_size == 0, "dh gorup keylen");
|
||||
}
|
||||
iterator->destroy(iterator);
|
||||
|
||||
proposal3->destroy(proposal3);
|
||||
}
|
||||
|
||||
|
|
|
@ -677,17 +677,19 @@ static void receive_messages(private_kernel_interface_t *this)
|
|||
job_t *job;
|
||||
this->logger->log(this->logger, CONTROL|LEVEL1,
|
||||
"Received a XFRM_MSG_EXPIRE");
|
||||
this->logger->log(this->logger, CONTROL|LEVEL0,
|
||||
"creating %s job for CHILD_SA with reqid %d",
|
||||
response.expire.hard ? "delete" : "rekey",
|
||||
response.expire.state.reqid);
|
||||
if (response.expire.hard)
|
||||
{
|
||||
this->logger->log(this->logger, CONTROL|LEVEL0,
|
||||
"creating delete job for CHILD_SA with reqid %d",
|
||||
response.expire.state.reqid);
|
||||
job = (job_t*)delete_child_sa_job_create(
|
||||
response.expire.state.reqid);
|
||||
}
|
||||
else
|
||||
{
|
||||
this->logger->log(this->logger, CONTROL|LEVEL0,
|
||||
"creating rekey job for CHILD_SA with reqid %d",
|
||||
response.expire.state.reqid);
|
||||
job = (job_t*)rekey_child_sa_job_create(
|
||||
response.expire.state.reqid);
|
||||
}
|
||||
|
|
|
@ -294,17 +294,17 @@ static void stroke_add_conn(private_stroke_t *this, stroke_msg_t *msg)
|
|||
connection = connection_create(msg->add_conn.name, msg->add_conn.ikev2,
|
||||
my_host, other_host,
|
||||
RSA_DIGITAL_SIGNATURE);
|
||||
proposal = proposal_create(1);
|
||||
proposal->add_algorithm(proposal, PROTO_IKE, ENCRYPTION_ALGORITHM, ENCR_AES_CBC, 16);
|
||||
proposal->add_algorithm(proposal, PROTO_IKE, INTEGRITY_ALGORITHM, AUTH_HMAC_SHA1_96, 0);
|
||||
proposal->add_algorithm(proposal, PROTO_IKE, INTEGRITY_ALGORITHM, AUTH_HMAC_MD5_96, 0);
|
||||
proposal->add_algorithm(proposal, PROTO_IKE, PSEUDO_RANDOM_FUNCTION, PRF_HMAC_SHA1, 0);
|
||||
proposal->add_algorithm(proposal, PROTO_IKE, PSEUDO_RANDOM_FUNCTION, PRF_HMAC_MD5, 0);
|
||||
proposal->add_algorithm(proposal, PROTO_IKE, DIFFIE_HELLMAN_GROUP, MODP_2048_BIT, 0);
|
||||
proposal->add_algorithm(proposal, PROTO_IKE, DIFFIE_HELLMAN_GROUP, MODP_1536_BIT, 0);
|
||||
proposal->add_algorithm(proposal, PROTO_IKE, DIFFIE_HELLMAN_GROUP, MODP_1024_BIT, 0);
|
||||
proposal->add_algorithm(proposal, PROTO_IKE, DIFFIE_HELLMAN_GROUP, MODP_4096_BIT, 0);
|
||||
proposal->add_algorithm(proposal, PROTO_IKE, DIFFIE_HELLMAN_GROUP, MODP_8192_BIT, 0);
|
||||
proposal = proposal_create(PROTO_IKE);
|
||||
proposal->add_algorithm(proposal, ENCRYPTION_ALGORITHM, ENCR_AES_CBC, 16);
|
||||
proposal->add_algorithm(proposal, INTEGRITY_ALGORITHM, AUTH_HMAC_SHA1_96, 0);
|
||||
proposal->add_algorithm(proposal, INTEGRITY_ALGORITHM, AUTH_HMAC_MD5_96, 0);
|
||||
proposal->add_algorithm(proposal, PSEUDO_RANDOM_FUNCTION, PRF_HMAC_SHA1, 0);
|
||||
proposal->add_algorithm(proposal, PSEUDO_RANDOM_FUNCTION, PRF_HMAC_MD5, 0);
|
||||
proposal->add_algorithm(proposal, DIFFIE_HELLMAN_GROUP, MODP_2048_BIT, 0);
|
||||
proposal->add_algorithm(proposal, DIFFIE_HELLMAN_GROUP, MODP_1536_BIT, 0);
|
||||
proposal->add_algorithm(proposal, DIFFIE_HELLMAN_GROUP, MODP_1024_BIT, 0);
|
||||
proposal->add_algorithm(proposal, DIFFIE_HELLMAN_GROUP, MODP_4096_BIT, 0);
|
||||
proposal->add_algorithm(proposal, DIFFIE_HELLMAN_GROUP, MODP_8192_BIT, 0);
|
||||
connection->add_proposal(connection, proposal);
|
||||
|
||||
/* add to global connection list */
|
||||
|
@ -317,10 +317,9 @@ static void stroke_add_conn(private_stroke_t *this, stroke_msg_t *msg)
|
|||
other_id->get_string(other_id));
|
||||
|
||||
policy = policy_create(msg->add_conn.name, my_id, other_id);
|
||||
proposal = proposal_create(1);
|
||||
proposal->add_algorithm(proposal, PROTO_ESP, ENCRYPTION_ALGORITHM, ENCR_AES_CBC, 16);
|
||||
proposal->add_algorithm(proposal, PROTO_ESP, INTEGRITY_ALGORITHM, AUTH_HMAC_SHA1_96, 0);
|
||||
proposal->add_algorithm(proposal, PROTO_ESP, INTEGRITY_ALGORITHM, AUTH_HMAC_MD5_96, 0);
|
||||
proposal = proposal_create(PROTO_ESP);
|
||||
proposal->add_algorithm(proposal, ENCRYPTION_ALGORITHM, ENCR_AES_CBC, 16);
|
||||
proposal->add_algorithm(proposal, INTEGRITY_ALGORITHM, AUTH_HMAC_SHA1_96, 0);
|
||||
policy->add_proposal(policy, proposal);
|
||||
policy->add_my_traffic_selector(policy, my_ts);
|
||||
policy->add_other_traffic_selector(policy, other_ts);
|
||||
|
|
Loading…
Reference in New Issue