implemented IKE_SA rekeying
uses ikelifetime, rekeymargin and rekeyfuzz config settings no handling of simultaneus exchanges yet!
This commit is contained in:
parent
45f76a7ddd
commit
fe04e93a8b
|
@ -17,6 +17,7 @@ sa/transactions/create_child_sa.h sa/transactions/create_child_sa.c \
|
||||||
sa/transactions/delete_child_sa.h sa/transactions/delete_child_sa.c \
|
sa/transactions/delete_child_sa.h sa/transactions/delete_child_sa.c \
|
||||||
sa/transactions/dead_peer_detection.h sa/transactions/dead_peer_detection.c \
|
sa/transactions/dead_peer_detection.h sa/transactions/dead_peer_detection.c \
|
||||||
sa/transactions/delete_ike_sa.h sa/transactions/delete_ike_sa.c \
|
sa/transactions/delete_ike_sa.h sa/transactions/delete_ike_sa.c \
|
||||||
|
sa/transactions/rekey_ike_sa.h sa/transactions/rekey_ike_sa.c \
|
||||||
sa/child_sa.c sa/child_sa.h sa/ike_sa.c sa/ike_sa.h sa/ike_sa_manager.c sa/ike_sa_manager.h \
|
sa/child_sa.c sa/child_sa.h sa/ike_sa.c sa/ike_sa.h sa/ike_sa_manager.c sa/ike_sa_manager.h \
|
||||||
sa/ike_sa_id.c sa/ike_sa_id.h sa/authenticator.c sa/authenticator.h encoding/payloads/encryption_payload.c \
|
sa/ike_sa_id.c sa/ike_sa_id.h sa/authenticator.c sa/authenticator.h encoding/payloads/encryption_payload.c \
|
||||||
encoding/payloads/cert_payload.c encoding/payloads/payload.h encoding/payloads/traffic_selector_substructure.c \
|
encoding/payloads/cert_payload.c encoding/payloads/payload.h encoding/payloads/traffic_selector_substructure.c \
|
||||||
|
@ -43,11 +44,9 @@ queues/jobs/incoming_packet_job.c queues/jobs/delete_half_open_ike_sa_job.c \
|
||||||
queues/jobs/delete_established_ike_sa_job.h queues/jobs/delete_half_open_ike_sa_job.h \
|
queues/jobs/delete_established_ike_sa_job.h queues/jobs/delete_half_open_ike_sa_job.h \
|
||||||
queues/jobs/incoming_packet_job.h queues/jobs/retransmit_request_job.c queues/jobs/initiate_job.c \
|
queues/jobs/incoming_packet_job.h queues/jobs/retransmit_request_job.c queues/jobs/initiate_job.c \
|
||||||
queues/jobs/send_keepalive_job.c queues/jobs/send_keepalive_job.h \
|
queues/jobs/send_keepalive_job.c queues/jobs/send_keepalive_job.h \
|
||||||
queues/jobs/rekey_child_sa_job.c queues/jobs/rekey_child_sa_job.h \
|
queues/jobs/rekey_child_sa_job.c queues/jobs/rekey_child_sa_job.h queues/jobs/delete_child_sa_job.c queues/jobs/delete_child_sa_job.h \
|
||||||
queues/jobs/delete_child_sa_job.c queues/jobs/delete_child_sa_job.h \
|
queues/jobs/send_dpd_job.c queues/jobs/send_dpd_job.h queues/jobs/route_job.c queues/jobs/route_job.h \
|
||||||
queues/jobs/send_dpd_job.c queues/jobs/send_dpd_job.h \
|
queues/jobs/acquire_job.c queues/jobs/acquire_job.h queues/jobs/rekey_ike_sa_job.c queues/jobs/rekey_ike_sa_job.h \
|
||||||
queues/jobs/route_job.c queues/jobs/route_job.h \
|
|
||||||
queues/jobs/acquire_job.c queues/jobs/acquire_job.h \
|
|
||||||
queues/job_queue.c queues/event_queue.c queues/send_queue.h queues/job_queue.h queues/event_queue.h \
|
queues/job_queue.c queues/event_queue.c queues/send_queue.h queues/job_queue.h queues/event_queue.h \
|
||||||
queues/send_queue.c threads/kernel_interface.c threads/thread_pool.c threads/scheduler.c threads/sender.c \
|
queues/send_queue.c threads/kernel_interface.c threads/thread_pool.c threads/scheduler.c threads/sender.c \
|
||||||
threads/sender.h threads/kernel_interface.h threads/scheduler.h threads/receiver.c threads/stroke_interface.c \
|
threads/sender.h threads/kernel_interface.h threads/scheduler.h threads/receiver.c threads/stroke_interface.c \
|
||||||
|
|
|
@ -109,6 +109,22 @@ struct private_connection_t {
|
||||||
* Supported proposals
|
* Supported proposals
|
||||||
*/
|
*/
|
||||||
linked_list_t *proposals;
|
linked_list_t *proposals;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Time before an SA gets invalid
|
||||||
|
*/
|
||||||
|
u_int32_t soft_lifetime;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Time before an SA gets rekeyed
|
||||||
|
*/
|
||||||
|
u_int32_t hard_lifetime;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Time, which specifies the range of a random value
|
||||||
|
* substracted from soft_lifetime.
|
||||||
|
*/
|
||||||
|
u_int32_t jitter;
|
||||||
};
|
};
|
||||||
|
|
||||||
/**
|
/**
|
||||||
|
@ -164,7 +180,19 @@ static host_t *get_other_host (private_connection_t *this)
|
||||||
*/
|
*/
|
||||||
static linked_list_t* get_proposals(private_connection_t *this)
|
static linked_list_t* get_proposals(private_connection_t *this)
|
||||||
{
|
{
|
||||||
return this->proposals;
|
iterator_t *iterator;
|
||||||
|
proposal_t *current;
|
||||||
|
linked_list_t *proposals = linked_list_create();
|
||||||
|
|
||||||
|
iterator = this->proposals->create_iterator(this->proposals, TRUE);
|
||||||
|
while (iterator->iterate(iterator, (void**)¤t))
|
||||||
|
{
|
||||||
|
current = current->clone(current);
|
||||||
|
proposals->insert_last(proposals, (void*)current);
|
||||||
|
}
|
||||||
|
iterator->destroy(iterator);
|
||||||
|
|
||||||
|
return proposals;
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
|
@ -273,6 +301,25 @@ static bool check_dh_group(private_connection_t *this, diffie_hellman_group_t dh
|
||||||
prop_iter->destroy(prop_iter);
|
prop_iter->destroy(prop_iter);
|
||||||
return FALSE;
|
return FALSE;
|
||||||
}
|
}
|
||||||
|
/**
|
||||||
|
* Implementation of connection_t.get_soft_lifetime
|
||||||
|
*/
|
||||||
|
static u_int32_t get_soft_lifetime(private_connection_t *this)
|
||||||
|
{
|
||||||
|
if (this->jitter == 0)
|
||||||
|
{
|
||||||
|
return this->soft_lifetime ;
|
||||||
|
}
|
||||||
|
return this->soft_lifetime - (random() % this->jitter);
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Implementation of connection_t.get_hard_lifetime
|
||||||
|
*/
|
||||||
|
static u_int32_t get_hard_lifetime(private_connection_t *this)
|
||||||
|
{
|
||||||
|
return this->hard_lifetime;
|
||||||
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Implementation of connection_t.get_ref.
|
* Implementation of connection_t.get_ref.
|
||||||
|
@ -310,8 +357,10 @@ static void destroy(private_connection_t *this)
|
||||||
connection_t * connection_create(char *name, bool ikev2,
|
connection_t * connection_create(char *name, bool ikev2,
|
||||||
cert_policy_t cert_policy,
|
cert_policy_t cert_policy,
|
||||||
cert_policy_t certreq_policy,
|
cert_policy_t certreq_policy,
|
||||||
host_t *my_host, host_t *other_host,
|
host_t *my_host, host_t *other_host,
|
||||||
auth_method_t auth_method)
|
auth_method_t auth_method,
|
||||||
|
u_int32_t hard_lifetime,
|
||||||
|
u_int32_t soft_lifetime, u_int32_t jitter)
|
||||||
{
|
{
|
||||||
private_connection_t *this = malloc_thing(private_connection_t);
|
private_connection_t *this = malloc_thing(private_connection_t);
|
||||||
|
|
||||||
|
@ -328,6 +377,8 @@ connection_t * connection_create(char *name, bool ikev2,
|
||||||
this->public.get_auth_method = (auth_method_t(*)(connection_t*)) get_auth_method;
|
this->public.get_auth_method = (auth_method_t(*)(connection_t*)) get_auth_method;
|
||||||
this->public.get_dh_group = (diffie_hellman_group_t(*)(connection_t*)) get_dh_group;
|
this->public.get_dh_group = (diffie_hellman_group_t(*)(connection_t*)) get_dh_group;
|
||||||
this->public.check_dh_group = (bool(*)(connection_t*,diffie_hellman_group_t)) check_dh_group;
|
this->public.check_dh_group = (bool(*)(connection_t*,diffie_hellman_group_t)) check_dh_group;
|
||||||
|
this->public.get_soft_lifetime = (u_int32_t (*) (connection_t *))get_soft_lifetime;
|
||||||
|
this->public.get_hard_lifetime = (u_int32_t (*) (connection_t *))get_hard_lifetime;
|
||||||
this->public.get_ref = (void(*)(connection_t*))get_ref;
|
this->public.get_ref = (void(*)(connection_t*))get_ref;
|
||||||
this->public.destroy = (void(*)(connection_t*))destroy;
|
this->public.destroy = (void(*)(connection_t*))destroy;
|
||||||
|
|
||||||
|
@ -340,6 +391,9 @@ connection_t * connection_create(char *name, bool ikev2,
|
||||||
this->my_host = my_host;
|
this->my_host = my_host;
|
||||||
this->other_host = other_host;
|
this->other_host = other_host;
|
||||||
this->auth_method = auth_method;
|
this->auth_method = auth_method;
|
||||||
|
this->hard_lifetime = hard_lifetime;
|
||||||
|
this->soft_lifetime = soft_lifetime;
|
||||||
|
this->jitter = jitter;
|
||||||
|
|
||||||
this->proposals = linked_list_create();
|
this->proposals = linked_list_create();
|
||||||
|
|
||||||
|
|
|
@ -134,8 +134,7 @@ struct connection_t {
|
||||||
/**
|
/**
|
||||||
* @brief Returns a list of all supported proposals.
|
* @brief Returns a list of all supported proposals.
|
||||||
*
|
*
|
||||||
* Returned list is still owned by connection and MUST NOT
|
* Returned list and its proposals must be destroyed after usage.
|
||||||
* modified or destroyed.
|
|
||||||
*
|
*
|
||||||
* @param this calling object
|
* @param this calling object
|
||||||
* @return list containing all the proposals
|
* @return list containing all the proposals
|
||||||
|
@ -235,6 +234,25 @@ struct connection_t {
|
||||||
* @return TRUE if group acceptable
|
* @return TRUE if group acceptable
|
||||||
*/
|
*/
|
||||||
bool (*check_dh_group) (connection_t *this, diffie_hellman_group_t dh_group);
|
bool (*check_dh_group) (connection_t *this, diffie_hellman_group_t dh_group);
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @brief Get the lifetime of a connection, before IKE_SA rekeying starts.
|
||||||
|
*
|
||||||
|
* A call to this function automatically adds a jitter to
|
||||||
|
* avoid simultanous rekeying.
|
||||||
|
*
|
||||||
|
* @param this calling object
|
||||||
|
* @return lifetime in seconds
|
||||||
|
*/
|
||||||
|
u_int32_t (*get_soft_lifetime) (connection_t *this);
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @brief Get the lifetime of a connection, before IKE_SA gets deleted.
|
||||||
|
*
|
||||||
|
* @param this calling object
|
||||||
|
* @return lifetime in seconds
|
||||||
|
*/
|
||||||
|
u_int32_t (*get_hard_lifetime) (connection_t *this);
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* @brief Get a new reference to this connection.
|
* @brief Get a new reference to this connection.
|
||||||
|
@ -271,6 +289,9 @@ struct connection_t {
|
||||||
* @param my_host host_t representing local address
|
* @param my_host host_t representing local address
|
||||||
* @param other_host host_t representing remote address
|
* @param other_host host_t representing remote address
|
||||||
* @param auth_method Authentication method to use for our(!) auth data
|
* @param auth_method Authentication method to use for our(!) auth data
|
||||||
|
* @param hard_lifetime lifetime before deleting an IKE_SA
|
||||||
|
* @param soft_lifetime lifetime before rekeying an IKE_SA
|
||||||
|
* @param jitter range of randomization time
|
||||||
* @return connection_t object.
|
* @return connection_t object.
|
||||||
*
|
*
|
||||||
* @ingroup config
|
* @ingroup config
|
||||||
|
@ -278,6 +299,7 @@ struct connection_t {
|
||||||
connection_t * connection_create(char *name, bool ikev2,
|
connection_t * connection_create(char *name, bool ikev2,
|
||||||
cert_policy_t cert_pol, cert_policy_t req_pol,
|
cert_policy_t cert_pol, cert_policy_t req_pol,
|
||||||
host_t *my_host, host_t *other_host,
|
host_t *my_host, host_t *other_host,
|
||||||
auth_method_t auth_method);
|
auth_method_t auth_method, u_int32_t hard_lifetime,
|
||||||
|
u_int32_t soft_lifetime, u_int32_t jitter);
|
||||||
|
|
||||||
#endif /* CONNECTION_H_ */
|
#endif /* CONNECTION_H_ */
|
||||||
|
|
|
@ -258,7 +258,19 @@ static linked_list_t *select_other_traffic_selectors(private_policy_t *this,
|
||||||
*/
|
*/
|
||||||
static linked_list_t *get_proposals(private_policy_t *this)
|
static linked_list_t *get_proposals(private_policy_t *this)
|
||||||
{
|
{
|
||||||
return this->proposals;
|
iterator_t *iterator;
|
||||||
|
proposal_t *current;
|
||||||
|
linked_list_t *proposals = linked_list_create();
|
||||||
|
|
||||||
|
iterator = this->proposals->create_iterator(this->proposals, TRUE);
|
||||||
|
while (iterator->iterate(iterator, (void**)¤t))
|
||||||
|
{
|
||||||
|
current = current->clone(current);
|
||||||
|
proposals->insert_last(proposals, (void*)current);
|
||||||
|
}
|
||||||
|
iterator->destroy(iterator);
|
||||||
|
|
||||||
|
return proposals;
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
|
@ -349,7 +361,6 @@ static u_int32_t get_soft_lifetime(private_policy_t *this)
|
||||||
{
|
{
|
||||||
return this->soft_lifetime ;
|
return this->soft_lifetime ;
|
||||||
}
|
}
|
||||||
srandom(time(NULL)+getpid());
|
|
||||||
return this->soft_lifetime - (random() % this->jitter);
|
return this->soft_lifetime - (random() % this->jitter);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -136,8 +136,7 @@ struct policy_t {
|
||||||
*
|
*
|
||||||
* policy_t does store proposals for AH/ESP, IKE proposals are in
|
* policy_t does store proposals for AH/ESP, IKE proposals are in
|
||||||
* the connection_t.
|
* the connection_t.
|
||||||
* List and Items are still owned by policy and MUST NOT
|
* Resulting list and all of its proposals must be freed after usage.
|
||||||
* be manipulated or freed!
|
|
||||||
*
|
*
|
||||||
* @param this calling object
|
* @param this calling object
|
||||||
* @return lists with proposals
|
* @return lists with proposals
|
||||||
|
|
|
@ -28,6 +28,7 @@
|
||||||
#include <sys/stat.h>
|
#include <sys/stat.h>
|
||||||
#include <sys/types.h>
|
#include <sys/types.h>
|
||||||
#include <unistd.h>
|
#include <unistd.h>
|
||||||
|
#include <time.h>
|
||||||
#include <execinfo.h>
|
#include <execinfo.h>
|
||||||
#include <string.h>
|
#include <string.h>
|
||||||
#include <getopt.h>
|
#include <getopt.h>
|
||||||
|
@ -171,6 +172,9 @@ static void initialize(private_daemon_t *this, bool strict)
|
||||||
{
|
{
|
||||||
credential_store_t* credentials;
|
credential_store_t* credentials;
|
||||||
|
|
||||||
|
/* for uncritical pseudo random numbers */
|
||||||
|
srandom(time(NULL) + getpid());
|
||||||
|
|
||||||
this->public.configuration = configuration_create();
|
this->public.configuration = configuration_create();
|
||||||
this->public.socket = socket_create(IKEV2_UDP_PORT, IKEV2_NATT_PORT);
|
this->public.socket = socket_create(IKEV2_UDP_PORT, IKEV2_NATT_PORT);
|
||||||
this->public.interfaces = interfaces_create(IKEV2_UDP_PORT);
|
this->public.interfaces = interfaces_create(IKEV2_UDP_PORT);
|
||||||
|
|
|
@ -50,7 +50,7 @@
|
||||||
- implement 3DES to load encrypted pem files
|
- implement 3DES to load encrypted pem files
|
||||||
+ ipsec.secrets parsing
|
+ ipsec.secrets parsing
|
||||||
|
|
||||||
/ trapping
|
+ trapping
|
||||||
+ proper delete messages
|
+ proper delete messages
|
||||||
- notifys on connection setup failure
|
- notifys on connection setup failure
|
||||||
+ create child sa message/rekeying
|
+ create child sa message/rekeying
|
||||||
|
@ -59,7 +59,7 @@
|
||||||
when a blocked IKE_SA receives a lot of messages
|
when a blocked IKE_SA receives a lot of messages
|
||||||
- add a crl fetch mechanism which synchronizes equal fetches
|
- add a crl fetch mechanism which synchronizes equal fetches
|
||||||
|
|
||||||
- replace state machine with something more transaction oriented
|
+ replace state machine with something more transaction oriented
|
||||||
- find existing IKE_SA on CHILD_SA initiation
|
+ find existing IKE_SA on CHILD_SA initiation
|
||||||
|
|
||||||
- configure flag which allows to ommit vendor id in pluto
|
- configure flag which allows to ommit vendor id in pluto
|
||||||
|
|
|
@ -105,31 +105,30 @@ struct private_proposal_substructure_t {
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Encoding rules to parse or generate a Proposal substructure.
|
* Encoding rules to parse or generate a Proposal substructure.
|
||||||
*
|
*
|
||||||
* The defined offsets are the positions in a object of type
|
* The defined offsets are the positions in a object of type
|
||||||
* private_proposal_substructure_t.
|
* private_proposal_substructure_t.
|
||||||
*
|
|
||||||
*/
|
*/
|
||||||
encoding_rule_t proposal_substructure_encodings[] = {
|
encoding_rule_t proposal_substructure_encodings[] = {
|
||||||
/* 1 Byte next payload type, stored in the field next_payload */
|
/* 1 Byte next payload type, stored in the field next_payload */
|
||||||
{ U_INT_8, offsetof(private_proposal_substructure_t, next_payload) },
|
{ U_INT_8, offsetof(private_proposal_substructure_t, next_payload) },
|
||||||
/* Reserved Byte is skipped */
|
/* Reserved Byte is skipped */
|
||||||
{ RESERVED_BYTE, 0 },
|
{ RESERVED_BYTE, 0 },
|
||||||
/* Length of the whole proposal substructure payload*/
|
/* Length of the whole proposal substructure payload*/
|
||||||
{ PAYLOAD_LENGTH, offsetof(private_proposal_substructure_t, proposal_length) },
|
{ PAYLOAD_LENGTH, offsetof(private_proposal_substructure_t, proposal_length) },
|
||||||
/* proposal number is a number of 8 bit */
|
/* proposal number is a number of 8 bit */
|
||||||
{ U_INT_8, offsetof(private_proposal_substructure_t, proposal_number) },
|
{ U_INT_8, offsetof(private_proposal_substructure_t, proposal_number) },
|
||||||
/* protocol ID is a number of 8 bit */
|
/* protocol ID is a number of 8 bit */
|
||||||
{ U_INT_8, offsetof(private_proposal_substructure_t, protocol_id) },
|
{ U_INT_8, offsetof(private_proposal_substructure_t, protocol_id) },
|
||||||
/* SPI Size has its own type */
|
/* SPI Size has its own type */
|
||||||
{ SPI_SIZE, offsetof(private_proposal_substructure_t, spi_size) },
|
{ SPI_SIZE, offsetof(private_proposal_substructure_t, spi_size) },
|
||||||
/* Number of transforms is a number of 8 bit */
|
/* Number of transforms is a number of 8 bit */
|
||||||
{ U_INT_8, offsetof(private_proposal_substructure_t, transforms_count) },
|
{ U_INT_8, offsetof(private_proposal_substructure_t, transforms_count) },
|
||||||
/* SPI is a chunk of variable size*/
|
/* SPI is a chunk of variable size*/
|
||||||
{ SPI, offsetof(private_proposal_substructure_t, spi) },
|
{ SPI, offsetof(private_proposal_substructure_t, spi) },
|
||||||
/* Transforms are stored in a transform substructure,
|
/* Transforms are stored in a transform substructure,
|
||||||
offset points to a linked_list_t pointer */
|
offset points to a linked_list_t pointer */
|
||||||
{ TRANSFORMS, offsetof(private_proposal_substructure_t, transforms) }
|
{ TRANSFORMS, offsetof(private_proposal_substructure_t, transforms) }
|
||||||
};
|
};
|
||||||
|
|
||||||
/*
|
/*
|
||||||
|
@ -169,6 +168,31 @@ static status_t verify(private_proposal_substructure_t *this)
|
||||||
return FAILED;
|
return FAILED;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
switch (this->protocol_id)
|
||||||
|
{
|
||||||
|
case PROTO_AH:
|
||||||
|
case PROTO_ESP:
|
||||||
|
if (this->spi.len != 4)
|
||||||
|
{
|
||||||
|
this->logger->log(this->logger, ERROR,
|
||||||
|
"invalid SPI length in %s proposal",
|
||||||
|
mapping_find(protocol_id_m, this->protocol_id));
|
||||||
|
return FAILED;
|
||||||
|
}
|
||||||
|
break;
|
||||||
|
case PROTO_IKE:
|
||||||
|
if (this->spi.len != 0 && this->spi.len != 8)
|
||||||
|
{
|
||||||
|
this->logger->log(this->logger, ERROR,
|
||||||
|
"invalid SPI length in IKE proposal");
|
||||||
|
return FAILED;
|
||||||
|
}
|
||||||
|
break;
|
||||||
|
default:
|
||||||
|
this->logger->log(this->logger, ERROR,
|
||||||
|
"invalid proposal protocol (%d)", this->protocol_id);
|
||||||
|
return FAILED;
|
||||||
|
}
|
||||||
if ((this->protocol_id == 0) || (this->protocol_id >= 4))
|
if ((this->protocol_id == 0) || (this->protocol_id >= 4))
|
||||||
{
|
{
|
||||||
/* reserved are not supported */
|
/* reserved are not supported */
|
||||||
|
@ -177,12 +201,11 @@ static status_t verify(private_proposal_substructure_t *this)
|
||||||
}
|
}
|
||||||
|
|
||||||
iterator = this->transforms->create_iterator(this->transforms,TRUE);
|
iterator = this->transforms->create_iterator(this->transforms,TRUE);
|
||||||
|
|
||||||
while(iterator->has_next(iterator))
|
while(iterator->has_next(iterator))
|
||||||
{
|
{
|
||||||
payload_t *current_transform;
|
payload_t *current_transform;
|
||||||
iterator->current(iterator,(void **)¤t_transform);
|
iterator->current(iterator,(void **)¤t_transform);
|
||||||
|
|
||||||
status = current_transform->verify(current_transform);
|
status = current_transform->verify(current_transform);
|
||||||
if (status != SUCCESS)
|
if (status != SUCCESS)
|
||||||
{
|
{
|
||||||
|
@ -190,10 +213,8 @@ static status_t verify(private_proposal_substructure_t *this)
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
iterator->destroy(iterator);
|
iterator->destroy(iterator);
|
||||||
|
|
||||||
|
|
||||||
/* proposal number is checked in SA payload */
|
/* proposal number is checked in SA payload */
|
||||||
return status;
|
return status;
|
||||||
}
|
}
|
||||||
|
@ -275,7 +296,6 @@ static void set_is_last_proposal (private_proposal_substructure_t *this, bool is
|
||||||
this->next_payload = (is_last) ? 0: PROPOSAL_TYPE_VALUE;
|
this->next_payload = (is_last) ? 0: PROPOSAL_TYPE_VALUE;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Implementation of proposal_substructure_t.set_proposal_number.
|
* Implementation of proposal_substructure_t.set_proposal_number.
|
||||||
*/
|
*/
|
||||||
|
@ -303,7 +323,7 @@ static void set_protocol_id(private_proposal_substructure_t *this,u_int8_t proto
|
||||||
/**
|
/**
|
||||||
* Implementation of proposal_substructure_t.get_protocol_id.
|
* Implementation of proposal_substructure_t.get_protocol_id.
|
||||||
*/
|
*/
|
||||||
static u_int8_t get_protocol_id (private_proposal_substructure_t *this)
|
static u_int8_t get_protocol_id(private_proposal_substructure_t *this)
|
||||||
{
|
{
|
||||||
return (this->protocol_id);
|
return (this->protocol_id);
|
||||||
}
|
}
|
||||||
|
@ -311,7 +331,7 @@ static u_int8_t get_protocol_id (private_proposal_substructure_t *this)
|
||||||
/**
|
/**
|
||||||
* Implementation of proposal_substructure_t.set_spi.
|
* Implementation of proposal_substructure_t.set_spi.
|
||||||
*/
|
*/
|
||||||
static void set_spi (private_proposal_substructure_t *this, chunk_t spi)
|
static void set_spi(private_proposal_substructure_t *this, chunk_t spi)
|
||||||
{
|
{
|
||||||
/* first delete already set spi value */
|
/* first delete already set spi value */
|
||||||
if (this->spi.ptr != NULL)
|
if (this->spi.ptr != NULL)
|
||||||
|
@ -331,54 +351,19 @@ static void set_spi (private_proposal_substructure_t *this, chunk_t spi)
|
||||||
/**
|
/**
|
||||||
* Implementation of proposal_substructure_t.get_spi.
|
* Implementation of proposal_substructure_t.get_spi.
|
||||||
*/
|
*/
|
||||||
static chunk_t get_spi (private_proposal_substructure_t *this)
|
static chunk_t get_spi(private_proposal_substructure_t *this)
|
||||||
{
|
{
|
||||||
chunk_t spi;
|
chunk_t spi;
|
||||||
spi.ptr = this->spi.ptr;
|
spi.ptr = this->spi.ptr;
|
||||||
spi.len = this->spi.len;
|
spi.len = this->spi.len;
|
||||||
|
|
||||||
return spi;
|
return spi;
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
|
||||||
* Implementation of proposal_substructure_t.get_info_for_transform_type.
|
|
||||||
*/
|
|
||||||
static status_t get_info_for_transform_type (private_proposal_substructure_t *this,transform_type_t type, u_int16_t *transform_id, u_int16_t *key_length)
|
|
||||||
{
|
|
||||||
iterator_t *iterator;
|
|
||||||
status_t status;
|
|
||||||
u_int16_t found_transform_id;
|
|
||||||
u_int16_t found_key_length;
|
|
||||||
|
|
||||||
iterator = this->transforms->create_iterator(this->transforms,TRUE);
|
|
||||||
|
|
||||||
while (iterator->has_next(iterator))
|
|
||||||
{
|
|
||||||
transform_substructure_t *current_transform;
|
|
||||||
status = iterator->current(iterator,(void **) ¤t_transform);
|
|
||||||
if (status != SUCCESS)
|
|
||||||
{
|
|
||||||
break;
|
|
||||||
}
|
|
||||||
if (current_transform->get_transform_type(current_transform) == type)
|
|
||||||
{
|
|
||||||
/* now get data for specific type */
|
|
||||||
found_transform_id = current_transform->get_transform_id(current_transform);
|
|
||||||
status = current_transform->get_key_length(current_transform,&found_key_length);
|
|
||||||
*transform_id = found_transform_id;
|
|
||||||
*key_length = found_key_length;
|
|
||||||
iterator->destroy(iterator);
|
|
||||||
return status;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
iterator->destroy(iterator);
|
|
||||||
return NOT_FOUND;
|
|
||||||
}
|
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Implementation of private_proposal_substructure_t.compute_length.
|
* Implementation of private_proposal_substructure_t.compute_length.
|
||||||
*/
|
*/
|
||||||
static void compute_length (private_proposal_substructure_t *this)
|
static void compute_length(private_proposal_substructure_t *this)
|
||||||
{
|
{
|
||||||
iterator_t *iterator;
|
iterator_t *iterator;
|
||||||
size_t transforms_count = 0;
|
size_t transforms_count = 0;
|
||||||
|
@ -550,7 +535,6 @@ proposal_substructure_t *proposal_substructure_create()
|
||||||
this->public.get_proposal_number = (u_int8_t (*) (proposal_substructure_t *)) get_proposal_number;
|
this->public.get_proposal_number = (u_int8_t (*) (proposal_substructure_t *)) get_proposal_number;
|
||||||
this->public.set_protocol_id = (void (*) (proposal_substructure_t *,u_int8_t))set_protocol_id;
|
this->public.set_protocol_id = (void (*) (proposal_substructure_t *,u_int8_t))set_protocol_id;
|
||||||
this->public.get_protocol_id = (u_int8_t (*) (proposal_substructure_t *)) get_protocol_id;
|
this->public.get_protocol_id = (u_int8_t (*) (proposal_substructure_t *)) get_protocol_id;
|
||||||
this->public.get_info_for_transform_type = (status_t (*) (proposal_substructure_t *,transform_type_t,u_int16_t *, u_int16_t *))get_info_for_transform_type;
|
|
||||||
this->public.set_is_last_proposal = (void (*) (proposal_substructure_t *,bool)) set_is_last_proposal;
|
this->public.set_is_last_proposal = (void (*) (proposal_substructure_t *,bool)) set_is_last_proposal;
|
||||||
this->public.get_proposal = (proposal_t* (*) (proposal_substructure_t*))get_proposal;
|
this->public.get_proposal = (proposal_t* (*) (proposal_substructure_t*))get_proposal;
|
||||||
this->public.set_spi = (void (*) (proposal_substructure_t *,chunk_t))set_spi;
|
this->public.set_spi = (void (*) (proposal_substructure_t *,chunk_t))set_spi;
|
||||||
|
@ -643,16 +627,26 @@ proposal_substructure_t *proposal_substructure_create_from_proposal(proposal_t *
|
||||||
}
|
}
|
||||||
iterator->destroy(iterator);
|
iterator->destroy(iterator);
|
||||||
|
|
||||||
/* take over general infos */
|
/* add SPI, if necessary */
|
||||||
this->spi_size = proposal->get_protocol(proposal) == PROTO_IKE ? 0 : 4;
|
switch (proposal->get_protocol(proposal))
|
||||||
this->spi.len = this->spi_size;
|
|
||||||
if (this->spi_size == 4)
|
|
||||||
{
|
{
|
||||||
this->spi.ptr = malloc(this->spi_size);
|
case PROTO_AH:
|
||||||
*((u_int32_t*)this->spi.ptr) = proposal->get_spi(proposal);
|
case PROTO_ESP:
|
||||||
|
this->spi_size = this->spi.len = 4;
|
||||||
|
this->spi.ptr = malloc(this->spi_size);
|
||||||
|
*((u_int32_t*)this->spi.ptr) = proposal->get_spi(proposal);
|
||||||
|
break;
|
||||||
|
case PROTO_IKE:
|
||||||
|
if (proposal->get_spi(proposal))
|
||||||
|
{ /* IKE only uses SPIS when rekeying, but on initial setup */
|
||||||
|
this->spi_size = this->spi.len = 8;
|
||||||
|
this->spi.ptr = malloc(this->spi_size);
|
||||||
|
*((u_int64_t*)this->spi.ptr) = proposal->get_spi(proposal);
|
||||||
|
}
|
||||||
|
break;
|
||||||
}
|
}
|
||||||
this->proposal_number = 0;
|
this->proposal_number = 0;
|
||||||
this->protocol_id = proposal->get_protocol(proposal);
|
this->protocol_id = proposal->get_protocol(proposal);
|
||||||
|
|
||||||
return &(this->public);
|
return &this->public;
|
||||||
}
|
}
|
||||||
|
|
|
@ -68,12 +68,12 @@ struct proposal_substructure_t {
|
||||||
* @param forward iterator direction (TRUE: front to end)
|
* @param forward iterator direction (TRUE: front to end)
|
||||||
* @return created iterator_t object
|
* @return created iterator_t object
|
||||||
*/
|
*/
|
||||||
iterator_t * (*create_transform_substructure_iterator) (proposal_substructure_t *this, bool forward);
|
iterator_t *(*create_transform_substructure_iterator) (proposal_substructure_t *this, bool forward);
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* @brief Adds a transform_substructure_t object to this object.
|
* @brief Adds a transform_substructure_t object to this object.
|
||||||
*
|
*
|
||||||
* @warning The added transform_substructure_t object is
|
* @warning The added transform_substructure_t object is
|
||||||
* getting destroyed in destroy function of proposal_substructure_t.
|
* getting destroyed in destroy function of proposal_substructure_t.
|
||||||
*
|
*
|
||||||
* @param this calling proposal_substructure_t object
|
* @param this calling proposal_substructure_t object
|
||||||
|
@ -129,20 +129,6 @@ struct proposal_substructure_t {
|
||||||
*/
|
*/
|
||||||
u_int8_t (*get_protocol_id) (proposal_substructure_t *this);
|
u_int8_t (*get_protocol_id) (proposal_substructure_t *this);
|
||||||
|
|
||||||
/**
|
|
||||||
* @brief Get informations for a specific transform type.
|
|
||||||
*
|
|
||||||
* @param this calling proposal_substructure_t object
|
|
||||||
* @param type type to get informations for
|
|
||||||
* @param transform_id transform id of the specific type
|
|
||||||
* @param key_length key length of the specific key length transform attribute
|
|
||||||
* @return
|
|
||||||
* - SUCCESS if transform type is part of this proposal and
|
|
||||||
* all data (incl. key length) could be fetched
|
|
||||||
* - NOT_FOUND if transform type is not part of this proposal
|
|
||||||
*/
|
|
||||||
status_t (*get_info_for_transform_type) (proposal_substructure_t *this,transform_type_t type, u_int16_t *transform_id, u_int16_t *key_length);
|
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* @brief Sets the next_payload field of this substructure
|
* @brief Sets the next_payload field of this substructure
|
||||||
*
|
*
|
||||||
|
@ -153,7 +139,7 @@ struct proposal_substructure_t {
|
||||||
* @param is_last When TRUE, next payload field is set to 0, otherwise to 2
|
* @param is_last When TRUE, next payload field is set to 0, otherwise to 2
|
||||||
*/
|
*/
|
||||||
void (*set_is_last_proposal) (proposal_substructure_t *this, bool is_last);
|
void (*set_is_last_proposal) (proposal_substructure_t *this, bool is_last);
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* @brief Returns the currently set SPI of this proposal.
|
* @brief Returns the currently set SPI of this proposal.
|
||||||
*
|
*
|
||||||
|
|
|
@ -62,12 +62,10 @@ static job_type_t get_type(private_delete_established_ike_sa_job_t *this)
|
||||||
*/
|
*/
|
||||||
static status_t execute(private_delete_established_ike_sa_job_t *this)
|
static status_t execute(private_delete_established_ike_sa_job_t *this)
|
||||||
{
|
{
|
||||||
status_t status;
|
if (charon->ike_sa_manager->delete(charon->ike_sa_manager,
|
||||||
|
this->ike_sa_id) != SUCCESS)
|
||||||
status = charon->ike_sa_manager->delete(charon->ike_sa_manager, this->ike_sa_id);
|
|
||||||
if (status != SUCCESS)
|
|
||||||
{
|
{
|
||||||
this->logger->log(this->logger, CONTROL, "IKE SA didn't exist anymore");
|
this->logger->log(this->logger, ERROR|LEVEL1, "IKE SA didn't exist anymore");
|
||||||
}
|
}
|
||||||
return DESTROY_ME;
|
return DESTROY_ME;
|
||||||
}
|
}
|
||||||
|
|
|
@ -149,7 +149,10 @@ static status_t execute(private_incoming_packet_job_t *this)
|
||||||
"received packet with SPIs %llx:%llx, but no such IKE_SA",
|
"received packet with SPIs %llx:%llx, but no such IKE_SA",
|
||||||
ike_sa_id->get_initiator_spi(ike_sa_id),
|
ike_sa_id->get_initiator_spi(ike_sa_id),
|
||||||
ike_sa_id->get_responder_spi(ike_sa_id));
|
ike_sa_id->get_responder_spi(ike_sa_id));
|
||||||
send_notify_response(this, message, INVALID_IKE_SPI);
|
if (message->get_request(message))
|
||||||
|
{
|
||||||
|
send_notify_response(this, message, INVALID_IKE_SPI);
|
||||||
|
}
|
||||||
ike_sa_id->destroy(ike_sa_id);
|
ike_sa_id->destroy(ike_sa_id);
|
||||||
message->destroy(message);
|
message->destroy(message);
|
||||||
return DESTROY_ME;
|
return DESTROY_ME;
|
||||||
|
|
|
@ -71,7 +71,6 @@ static status_t execute(private_initiate_job_t *this)
|
||||||
{
|
{
|
||||||
ike_sa_t *ike_sa;
|
ike_sa_t *ike_sa;
|
||||||
|
|
||||||
this->logger->log(this->logger, CONTROL|LEVEL2, "getting an IKE SA");
|
|
||||||
ike_sa = charon->ike_sa_manager->checkout_by_ids(charon->ike_sa_manager,
|
ike_sa = charon->ike_sa_manager->checkout_by_ids(charon->ike_sa_manager,
|
||||||
this->policy->get_my_id(this->policy),
|
this->policy->get_my_id(this->policy),
|
||||||
this->policy->get_other_id(this->policy));
|
this->policy->get_other_id(this->policy));
|
||||||
|
|
|
@ -29,8 +29,13 @@ mapping_t job_type_m[] = {
|
||||||
{INCOMING_PACKET, "INCOMING_PACKET"},
|
{INCOMING_PACKET, "INCOMING_PACKET"},
|
||||||
{RETRANSMIT_REQUEST, "RETRANSMIT_REQUEST"},
|
{RETRANSMIT_REQUEST, "RETRANSMIT_REQUEST"},
|
||||||
{INITIATE, "INITIATE"},
|
{INITIATE, "INITIATE"},
|
||||||
{DELETE_HALF_OPEN_IKE_SA, "DELETE_HALF_OPEN_IKE_SA"},
|
{ROUTE, "ROUTE"},
|
||||||
|
{ACQUIRE, "ACQUIRE"},
|
||||||
{DELETE_ESTABLISHED_IKE_SA, "DELETE_ESTABLISHED_IKE_SA"},
|
{DELETE_ESTABLISHED_IKE_SA, "DELETE_ESTABLISHED_IKE_SA"},
|
||||||
|
{DELETE_HALF_OPEN_IKE_SA, "DELETE_HALF_OPEN_IKE_SA"},
|
||||||
|
{DELETE_CHILD_SA, "DELETE_CHILD_SA"},
|
||||||
|
{REKEY_CHILD_SA, "REKEY_CHILD_SA"},
|
||||||
|
{REKEY_IKE_SA, "REKEY_IKE_SA"},
|
||||||
{SEND_KEEPALIVE, "SEND_KEEPALIVE"},
|
{SEND_KEEPALIVE, "SEND_KEEPALIVE"},
|
||||||
{SEND_DPD, "SEND_DPD"},
|
{SEND_DPD, "SEND_DPD"},
|
||||||
{MAPPING_END, NULL}
|
{MAPPING_END, NULL}
|
||||||
|
|
|
@ -99,6 +99,13 @@ enum job_type_t {
|
||||||
*/
|
*/
|
||||||
REKEY_CHILD_SA,
|
REKEY_CHILD_SA,
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Rekey an IKE_SA
|
||||||
|
*
|
||||||
|
* Job is implemented in class rekey_ike_sa_job_t
|
||||||
|
*/
|
||||||
|
REKEY_IKE_SA,
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Send a keepalive packet.
|
* Send a keepalive packet.
|
||||||
*
|
*
|
||||||
|
|
|
@ -0,0 +1,105 @@
|
||||||
|
/**
|
||||||
|
* @file rekey_ike_sa_job.c
|
||||||
|
*
|
||||||
|
* @brief Implementation of rekey_ike_sa_job_t.
|
||||||
|
*
|
||||||
|
*/
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Copyright (C) 2006 Martin Willi
|
||||||
|
* Hochschule fuer Technik Rapperswil
|
||||||
|
*
|
||||||
|
* This program is free software; you can redistribute it and/or modify it
|
||||||
|
* under the terms of the GNU General Public License as published by the
|
||||||
|
* Free Software Foundation; either version 2 of the License, or (at your
|
||||||
|
* option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
|
||||||
|
*
|
||||||
|
* This program is distributed in the hope that it will be useful, but
|
||||||
|
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
|
||||||
|
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
|
||||||
|
* for more details.
|
||||||
|
*/
|
||||||
|
|
||||||
|
#include "rekey_ike_sa_job.h"
|
||||||
|
|
||||||
|
#include <daemon.h>
|
||||||
|
|
||||||
|
|
||||||
|
typedef struct private_rekey_ike_sa_job_t private_rekey_ike_sa_job_t;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Private data of an rekey_ike_sa_job_t object.
|
||||||
|
*/
|
||||||
|
struct private_rekey_ike_sa_job_t {
|
||||||
|
/**
|
||||||
|
* Public rekey_ike_sa_job_t interface.
|
||||||
|
*/
|
||||||
|
rekey_ike_sa_job_t public;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* ID of the IKE_SA to rekey
|
||||||
|
*/
|
||||||
|
ike_sa_id_t *ike_sa_id;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Logger ref
|
||||||
|
*/
|
||||||
|
logger_t *logger;
|
||||||
|
};
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Implementation of job_t.get_type.
|
||||||
|
*/
|
||||||
|
static job_type_t get_type(private_rekey_ike_sa_job_t *this)
|
||||||
|
{
|
||||||
|
return REKEY_IKE_SA;
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Implementation of job_t.execute.
|
||||||
|
*/
|
||||||
|
static status_t execute(private_rekey_ike_sa_job_t *this)
|
||||||
|
{
|
||||||
|
ike_sa_t *ike_sa;
|
||||||
|
|
||||||
|
ike_sa = charon->ike_sa_manager->checkout(charon->ike_sa_manager,
|
||||||
|
this->ike_sa_id);
|
||||||
|
if (ike_sa == NULL)
|
||||||
|
{
|
||||||
|
this->logger->log(this->logger, ERROR,
|
||||||
|
"IKE_SA to rekey not found");
|
||||||
|
return DESTROY_ME;
|
||||||
|
}
|
||||||
|
ike_sa->rekey(ike_sa);
|
||||||
|
|
||||||
|
charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa);
|
||||||
|
return DESTROY_ME;
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Implementation of job_t.destroy.
|
||||||
|
*/
|
||||||
|
static void destroy(private_rekey_ike_sa_job_t *this)
|
||||||
|
{
|
||||||
|
this->ike_sa_id->destroy(this->ike_sa_id);
|
||||||
|
free(this);
|
||||||
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Described in header
|
||||||
|
*/
|
||||||
|
rekey_ike_sa_job_t *rekey_ike_sa_job_create(ike_sa_id_t *ike_sa_id)
|
||||||
|
{
|
||||||
|
private_rekey_ike_sa_job_t *this = malloc_thing(private_rekey_ike_sa_job_t);
|
||||||
|
|
||||||
|
/* interface functions */
|
||||||
|
this->public.job_interface.get_type = (job_type_t (*) (job_t *)) get_type;
|
||||||
|
this->public.job_interface.execute = (status_t (*) (job_t *)) execute;
|
||||||
|
this->public.job_interface.destroy = (void (*)(job_t*)) destroy;
|
||||||
|
|
||||||
|
/* private variables */
|
||||||
|
this->ike_sa_id = ike_sa_id->clone(ike_sa_id);
|
||||||
|
this->logger = logger_manager->get_logger(logger_manager, WORKER);
|
||||||
|
|
||||||
|
return &(this->public);
|
||||||
|
}
|
|
@ -0,0 +1,60 @@
|
||||||
|
/**
|
||||||
|
* @file rekey_ike_sa_job.h
|
||||||
|
*
|
||||||
|
* @brief Interface of rekey_ike_sa_job_t.
|
||||||
|
*
|
||||||
|
*/
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Copyright (C) 2006 Martin Willi
|
||||||
|
* Hochschule fuer Technik Rapperswil
|
||||||
|
*
|
||||||
|
* This program is free software; you can redistribute it and/or modify it
|
||||||
|
* under the terms of the GNU General Public License as published by the
|
||||||
|
* Free Software Foundation; either version 2 of the License, or (at your
|
||||||
|
* option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
|
||||||
|
*
|
||||||
|
* This program is distributed in the hope that it will be useful, but
|
||||||
|
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
|
||||||
|
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
|
||||||
|
* for more details.
|
||||||
|
*/
|
||||||
|
|
||||||
|
#ifndef REKEY_IKE_SA_JOB_H_
|
||||||
|
#define REKEY_IKE_SA_JOB_H_
|
||||||
|
|
||||||
|
#include <types.h>
|
||||||
|
#include <sa/ike_sa_id.h>
|
||||||
|
#include <queues/jobs/job.h>
|
||||||
|
|
||||||
|
|
||||||
|
typedef struct rekey_ike_sa_job_t rekey_ike_sa_job_t;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @brief Class representing an REKEY_IKE_SA Job.
|
||||||
|
*
|
||||||
|
* This job initiates the rekeying of an IKE_SA.
|
||||||
|
*
|
||||||
|
* @b Constructors:
|
||||||
|
* - rekey_ike_sa_job_create()
|
||||||
|
*
|
||||||
|
* @ingroup jobs
|
||||||
|
*/
|
||||||
|
struct rekey_ike_sa_job_t {
|
||||||
|
/**
|
||||||
|
* The job_t interface.
|
||||||
|
*/
|
||||||
|
job_t job_interface;
|
||||||
|
};
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @brief Creates a job of type REKEY_IKE_SA.
|
||||||
|
*
|
||||||
|
* @param ike_sa_id ID of the IKE_SA to rekey
|
||||||
|
* @return rekey_ike_sa_job_t object
|
||||||
|
*
|
||||||
|
* @ingroup jobs
|
||||||
|
*/
|
||||||
|
rekey_ike_sa_job_t *rekey_ike_sa_job_create(ike_sa_id_t *ike_sa_id);
|
||||||
|
|
||||||
|
#endif /* REKEY_IKE_SA_JOB_H_ */
|
|
@ -74,11 +74,9 @@ static status_t execute(private_route_job_t *this)
|
||||||
{
|
{
|
||||||
ike_sa_t *ike_sa;
|
ike_sa_t *ike_sa;
|
||||||
|
|
||||||
this->logger->log(this->logger, CONTROL|LEVEL2, "getting an IKE SA");
|
|
||||||
ike_sa = charon->ike_sa_manager->checkout_by_ids(charon->ike_sa_manager,
|
ike_sa = charon->ike_sa_manager->checkout_by_ids(charon->ike_sa_manager,
|
||||||
this->policy->get_my_id(this->policy),
|
this->policy->get_my_id(this->policy),
|
||||||
this->policy->get_other_id(this->policy));
|
this->policy->get_other_id(this->policy));
|
||||||
|
|
||||||
if (this->route)
|
if (this->route)
|
||||||
{
|
{
|
||||||
if (ike_sa->route(ike_sa, this->connection, this->policy) != SUCCESS)
|
if (ike_sa->route(ike_sa, this->connection, this->policy) != SUCCESS)
|
||||||
|
|
|
@ -552,7 +552,7 @@ static status_t get_use_time(private_child_sa_t *this, bool inbound, time_t *use
|
||||||
{
|
{
|
||||||
iterator_t *iterator;
|
iterator_t *iterator;
|
||||||
sa_policy_t *policy;
|
sa_policy_t *policy;
|
||||||
status_t status;
|
status_t status = FAILED;
|
||||||
|
|
||||||
*use_time = UNDEFINED_TIME;
|
*use_time = UNDEFINED_TIME;
|
||||||
|
|
||||||
|
|
|
@ -49,12 +49,13 @@
|
||||||
#include <sa/transactions/create_child_sa.h>
|
#include <sa/transactions/create_child_sa.h>
|
||||||
#include <sa/transactions/delete_child_sa.h>
|
#include <sa/transactions/delete_child_sa.h>
|
||||||
#include <sa/transactions/dead_peer_detection.h>
|
#include <sa/transactions/dead_peer_detection.h>
|
||||||
|
#include <sa/transactions/rekey_ike_sa.h>
|
||||||
#include <queues/jobs/retransmit_request_job.h>
|
#include <queues/jobs/retransmit_request_job.h>
|
||||||
#include <queues/jobs/delete_established_ike_sa_job.h>
|
#include <queues/jobs/delete_established_ike_sa_job.h>
|
||||||
#include <queues/jobs/delete_half_open_ike_sa_job.h>
|
#include <queues/jobs/delete_half_open_ike_sa_job.h>
|
||||||
#include <queues/jobs/send_dpd_job.h>
|
#include <queues/jobs/send_dpd_job.h>
|
||||||
#include <queues/jobs/send_keepalive_job.h>
|
#include <queues/jobs/send_keepalive_job.h>
|
||||||
|
#include <queues/jobs/rekey_ike_sa_job.h>
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* String mappings for ike_sa_state_t.
|
* String mappings for ike_sa_state_t.
|
||||||
|
@ -186,14 +187,20 @@ struct private_ike_sa_t {
|
||||||
u_int32_t message_id_out;
|
u_int32_t message_id_out;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Timestamp of last IKE message received on this SA
|
* Timestamps for this IKE_SA
|
||||||
*/
|
*/
|
||||||
time_t time_inbound;
|
struct {
|
||||||
|
/** last IKE message received */
|
||||||
/**
|
u_int32_t inbound;
|
||||||
* Timestamp of last IKE message sent on this SA
|
/** last IKE message sent */
|
||||||
*/
|
u_int32_t outbound;
|
||||||
time_t time_outbound;
|
/** when IKE_SA became established */
|
||||||
|
u_int32_t established;
|
||||||
|
/** when IKE_SA gets rekeyed */
|
||||||
|
u_int32_t rekey;
|
||||||
|
/** when IKE_SA gets deleted */
|
||||||
|
u_int32_t delete;
|
||||||
|
} time;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* List of queued transactions to process
|
* List of queued transactions to process
|
||||||
|
@ -247,7 +254,7 @@ static time_t get_kernel_time(private_ike_sa_t* this, bool inbound)
|
||||||
*/
|
*/
|
||||||
static time_t get_time_inbound(private_ike_sa_t *this)
|
static time_t get_time_inbound(private_ike_sa_t *this)
|
||||||
{
|
{
|
||||||
return max(this->time_inbound, get_kernel_time(this, TRUE));
|
return max(this->time.inbound, get_kernel_time(this, TRUE));
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
|
@ -255,7 +262,7 @@ static time_t get_time_inbound(private_ike_sa_t *this)
|
||||||
*/
|
*/
|
||||||
static time_t get_time_outbound(private_ike_sa_t *this)
|
static time_t get_time_outbound(private_ike_sa_t *this)
|
||||||
{
|
{
|
||||||
return max(this->time_outbound, get_kernel_time(this, FALSE));
|
return max(this->time.outbound, get_kernel_time(this, FALSE));
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
|
@ -283,6 +290,15 @@ static host_t *get_my_host(private_ike_sa_t *this)
|
||||||
return this->my_host;
|
return this->my_host;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Implementation of ike_sa_t.set_my_host.
|
||||||
|
*/
|
||||||
|
static void set_my_host(private_ike_sa_t *this, host_t *me)
|
||||||
|
{
|
||||||
|
DESTROY_IF(this->my_host);
|
||||||
|
this->my_host = me;
|
||||||
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Implementation of ike_sa_t.get_other_host.
|
* Implementation of ike_sa_t.get_other_host.
|
||||||
*/
|
*/
|
||||||
|
@ -291,6 +307,15 @@ static host_t *get_other_host(private_ike_sa_t *this)
|
||||||
return this->other_host;
|
return this->other_host;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Implementation of ike_sa_t.set_other_host.
|
||||||
|
*/
|
||||||
|
static void set_other_host(private_ike_sa_t *this, host_t *other)
|
||||||
|
{
|
||||||
|
DESTROY_IF(this->other_host);
|
||||||
|
this->other_host = other;
|
||||||
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Update connection host, as addresses may change (NAT)
|
* Update connection host, as addresses may change (NAT)
|
||||||
*/
|
*/
|
||||||
|
@ -437,7 +462,7 @@ static status_t transmit_request(private_ike_sa_t *this)
|
||||||
}
|
}
|
||||||
/* finally send */
|
/* finally send */
|
||||||
charon->send_queue->add(charon->send_queue, packet);
|
charon->send_queue->add(charon->send_queue, packet);
|
||||||
this->time_outbound = time(NULL);
|
this->time.outbound = time(NULL);
|
||||||
|
|
||||||
/* schedule retransmission job */
|
/* schedule retransmission job */
|
||||||
job = retransmit_request_job_create(message_id, this->ike_sa_id);
|
job = retransmit_request_job_create(message_id, this->ike_sa_id);
|
||||||
|
@ -548,7 +573,7 @@ static status_t process_request(private_ike_sa_t *this, message_t *request)
|
||||||
last->get_response(last, request, &response, &this->transaction_in_next);
|
last->get_response(last, request, &response, &this->transaction_in_next);
|
||||||
packet = response->get_packet(response);
|
packet = response->get_packet(response);
|
||||||
charon->send_queue->add(charon->send_queue, packet);
|
charon->send_queue->add(charon->send_queue, packet);
|
||||||
this->time_outbound = time(NULL);
|
this->time.outbound = time(NULL);
|
||||||
return SUCCESS;
|
return SUCCESS;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -608,7 +633,7 @@ static status_t process_request(private_ike_sa_t *this, message_t *request)
|
||||||
}
|
}
|
||||||
|
|
||||||
charon->send_queue->add(charon->send_queue, packet);
|
charon->send_queue->add(charon->send_queue, packet);
|
||||||
this->time_outbound = time(NULL);
|
this->time.outbound = time(NULL);
|
||||||
/* act depending on transaction result */
|
/* act depending on transaction result */
|
||||||
switch (status)
|
switch (status)
|
||||||
{
|
{
|
||||||
|
@ -691,7 +716,7 @@ static void send_notify_response(private_ike_sa_t *this,
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
charon->send_queue->add(charon->send_queue, packet);
|
charon->send_queue->add(charon->send_queue, packet);
|
||||||
this->time_outbound = time(NULL);
|
this->time.outbound = time(NULL);
|
||||||
response->destroy(response);
|
response->destroy(response);
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
@ -710,46 +735,49 @@ static status_t process_message(private_ike_sa_t *this, message_t *message)
|
||||||
status = message->parse_body(message, this->crypter_in, this->signer_in);
|
status = message->parse_body(message, this->crypter_in, this->signer_in);
|
||||||
if (status != SUCCESS)
|
if (status != SUCCESS)
|
||||||
{
|
{
|
||||||
switch (status)
|
if (is_request)
|
||||||
{
|
{
|
||||||
case NOT_SUPPORTED:
|
switch (status)
|
||||||
this->logger->log(this->logger, ERROR,
|
{
|
||||||
"ciritcal unknown payloads found");
|
case NOT_SUPPORTED:
|
||||||
if (is_request)
|
this->logger->log(this->logger, ERROR,
|
||||||
{
|
"ciritcal unknown payloads found");
|
||||||
send_notify_response(this, message, UNSUPPORTED_CRITICAL_PAYLOAD);
|
if (is_request)
|
||||||
}
|
{
|
||||||
break;
|
send_notify_response(this, message, UNSUPPORTED_CRITICAL_PAYLOAD);
|
||||||
case PARSE_ERROR:
|
}
|
||||||
this->logger->log(this->logger, ERROR,
|
break;
|
||||||
"message parsing failed");
|
case PARSE_ERROR:
|
||||||
if (is_request)
|
this->logger->log(this->logger, ERROR,
|
||||||
{
|
"message parsing failed");
|
||||||
send_notify_response(this, message, INVALID_SYNTAX);
|
if (is_request)
|
||||||
}
|
{
|
||||||
break;
|
send_notify_response(this, message, INVALID_SYNTAX);
|
||||||
case VERIFY_ERROR:
|
}
|
||||||
this->logger->log(this->logger, ERROR,
|
break;
|
||||||
"message verification failed");
|
case VERIFY_ERROR:
|
||||||
if (is_request)
|
this->logger->log(this->logger, ERROR,
|
||||||
{
|
"message verification failed");
|
||||||
send_notify_response(this, message, INVALID_SYNTAX);
|
if (is_request)
|
||||||
}
|
{
|
||||||
break;
|
send_notify_response(this, message, INVALID_SYNTAX);
|
||||||
case FAILED:
|
}
|
||||||
this->logger->log(this->logger, ERROR,
|
break;
|
||||||
"integrity check failed");
|
case FAILED:
|
||||||
/* ignored */
|
this->logger->log(this->logger, ERROR,
|
||||||
break;
|
"integrity check failed");
|
||||||
case INVALID_STATE:
|
/* ignored */
|
||||||
this->logger->log(this->logger, ERROR,
|
break;
|
||||||
"found encrypted message, but no keys available");
|
case INVALID_STATE:
|
||||||
if (is_request)
|
this->logger->log(this->logger, ERROR,
|
||||||
{
|
"found encrypted message, but no keys available");
|
||||||
send_notify_response(this, message, INVALID_SYNTAX);
|
if (is_request)
|
||||||
}
|
{
|
||||||
default:
|
send_notify_response(this, message, INVALID_SYNTAX);
|
||||||
break;
|
}
|
||||||
|
default:
|
||||||
|
break;
|
||||||
|
}
|
||||||
}
|
}
|
||||||
this->logger->log(this->logger, ERROR,
|
this->logger->log(this->logger, ERROR,
|
||||||
"%s %s with message ID %d processing failed",
|
"%s %s with message ID %d processing failed",
|
||||||
|
@ -765,7 +793,7 @@ static status_t process_message(private_ike_sa_t *this, message_t *message)
|
||||||
{
|
{
|
||||||
update_hosts(this, message->get_destination(message),
|
update_hosts(this, message->get_destination(message),
|
||||||
message->get_source(message));
|
message->get_source(message));
|
||||||
this->time_inbound = time(NULL);
|
this->time.inbound = time(NULL);
|
||||||
}
|
}
|
||||||
if (is_request)
|
if (is_request)
|
||||||
{
|
{
|
||||||
|
@ -1211,19 +1239,20 @@ static void set_state(private_ike_sa_t *this, ike_sa_state_t state)
|
||||||
mapping_find(ike_sa_state_m, state));
|
mapping_find(ike_sa_state_m, state));
|
||||||
if (state == IKE_ESTABLISHED)
|
if (state == IKE_ESTABLISHED)
|
||||||
{
|
{
|
||||||
|
this->time.established = time(NULL);
|
||||||
this->logger->log(this->logger, AUDIT, "IKE_SA established: %s[%s]...%s[%s]",
|
this->logger->log(this->logger, AUDIT, "IKE_SA established: %s[%s]...%s[%s]",
|
||||||
this->my_host->get_string(this->my_host),
|
this->my_host->get_string(this->my_host),
|
||||||
this->my_id->get_string(this->my_id),
|
this->my_id->get_string(this->my_id),
|
||||||
this->other_host->get_string(this->other_host),
|
this->other_host->get_string(this->other_host),
|
||||||
this->other_id->get_string(this->other_id));
|
this->other_id->get_string(this->other_id));
|
||||||
|
/* start DPD checks */
|
||||||
send_dpd(this);
|
send_dpd(this);
|
||||||
}
|
}
|
||||||
this->state = state;
|
this->state = state;
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Implementation of protected_ike_sa_t.get_prf.
|
* Implementation of ike_sa_t.get_prf.
|
||||||
*/
|
*/
|
||||||
static prf_t *get_prf(private_ike_sa_t *this)
|
static prf_t *get_prf(private_ike_sa_t *this)
|
||||||
{
|
{
|
||||||
|
@ -1231,7 +1260,7 @@ static prf_t *get_prf(private_ike_sa_t *this)
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Implementation of protected_ike_sa_t.get_prf.
|
* Implementation of ike_sa_t.get_prf.
|
||||||
*/
|
*/
|
||||||
static prf_t *get_child_prf(private_ike_sa_t *this)
|
static prf_t *get_child_prf(private_ike_sa_t *this)
|
||||||
{
|
{
|
||||||
|
@ -1239,7 +1268,7 @@ static prf_t *get_child_prf(private_ike_sa_t *this)
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Implementation of protected_ike_sa_t.get_prf_auth_i.
|
* Implementation of ike_sa_t.get_prf_auth_i.
|
||||||
*/
|
*/
|
||||||
static prf_t *get_prf_auth_i(private_ike_sa_t *this)
|
static prf_t *get_prf_auth_i(private_ike_sa_t *this)
|
||||||
{
|
{
|
||||||
|
@ -1247,7 +1276,7 @@ static prf_t *get_prf_auth_i(private_ike_sa_t *this)
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Implementation of protected_ike_sa_t.get_prf_auth_r.
|
* Implementation of ike_sa_t.get_prf_auth_r.
|
||||||
*/
|
*/
|
||||||
static prf_t *get_prf_auth_r(private_ike_sa_t *this)
|
static prf_t *get_prf_auth_r(private_ike_sa_t *this)
|
||||||
{
|
{
|
||||||
|
@ -1297,21 +1326,24 @@ static void set_other_id(private_ike_sa_t *this, identification_t *other)
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Implementation of protected_ike_sa_t.build_transforms.
|
* Implementation of ike_sa_t.derive_keys.
|
||||||
*/
|
*/
|
||||||
static status_t build_transforms(private_ike_sa_t *this, proposal_t *proposal,
|
static status_t derive_keys(private_ike_sa_t *this,
|
||||||
diffie_hellman_t *dh, chunk_t nonce_i, chunk_t nonce_r,
|
proposal_t *proposal, diffie_hellman_t *dh,
|
||||||
bool initiator)
|
chunk_t nonce_i, chunk_t nonce_r,
|
||||||
|
bool initiator, prf_t *rekey_prf)
|
||||||
{
|
{
|
||||||
chunk_t nonces, nonces_spis, skeyseed, key, secret;
|
|
||||||
u_int64_t spi_i, spi_r;
|
|
||||||
prf_plus_t *prf_plus;
|
prf_plus_t *prf_plus;
|
||||||
|
chunk_t skeyseed, secret, key, nonces, prf_plus_seed;
|
||||||
algorithm_t *algo;
|
algorithm_t *algo;
|
||||||
size_t key_size;
|
size_t key_size;
|
||||||
crypter_t *crypter_i, *crypter_r;
|
crypter_t *crypter_i, *crypter_r;
|
||||||
signer_t *signer_i, *signer_r;
|
signer_t *signer_i, *signer_r;
|
||||||
|
u_int8_t spi_i_buf[sizeof(u_int64_t)], spi_r_buf[sizeof(u_int64_t)];
|
||||||
|
chunk_t spi_i = chunk_from_buf(spi_i_buf);
|
||||||
|
chunk_t spi_r = chunk_from_buf(spi_r_buf);
|
||||||
|
|
||||||
/* Build the PRF+ instance for deriving keys */
|
/* Create SAs general purpose PRF first, we may use it here */
|
||||||
if (!proposal->get_algorithm(proposal, PSEUDO_RANDOM_FUNCTION, &algo))
|
if (!proposal->get_algorithm(proposal, PSEUDO_RANDOM_FUNCTION, &algo))
|
||||||
{
|
{
|
||||||
this->logger->log(this->logger, ERROR, "no PSEUDO_RANDOM_FUNCTION selected!");
|
this->logger->log(this->logger, ERROR, "no PSEUDO_RANDOM_FUNCTION selected!");
|
||||||
|
@ -1325,39 +1357,46 @@ static status_t build_transforms(private_ike_sa_t *this, proposal_t *proposal,
|
||||||
return FAILED;
|
return FAILED;
|
||||||
}
|
}
|
||||||
|
|
||||||
/* nonces = nonce_i | nonce_r */
|
|
||||||
nonces = chunk_alloc(nonce_i.len + nonce_r.len);
|
|
||||||
memcpy(nonces.ptr, nonce_i.ptr, nonce_i.len);
|
|
||||||
memcpy(nonces.ptr + nonce_i.len, nonce_r.ptr, nonce_r.len);
|
|
||||||
|
|
||||||
/* prf_seed = nonce_i | nonce_r | spi_i | spi_r */
|
|
||||||
nonces_spis = chunk_alloc(nonces.len + 16);
|
|
||||||
memcpy(nonces_spis.ptr, nonces.ptr, nonces.len);
|
|
||||||
spi_i = this->ike_sa_id->get_initiator_spi(this->ike_sa_id);
|
|
||||||
spi_r = this->ike_sa_id->get_responder_spi(this->ike_sa_id);
|
|
||||||
memcpy(nonces_spis.ptr + nonces.len, &spi_i, 8);
|
|
||||||
memcpy(nonces_spis.ptr + nonces.len + 8, &spi_r, 8);
|
|
||||||
|
|
||||||
/* SKEYSEED = prf(Ni | Nr, g^ir) */
|
|
||||||
dh->get_shared_secret(dh, &secret);
|
dh->get_shared_secret(dh, &secret);
|
||||||
this->logger->log_chunk(this->logger, PRIVATE, "shared Diffie Hellman secret", secret);
|
this->logger->log_chunk(this->logger, PRIVATE, "shared Diffie Hellman secret", secret);
|
||||||
this->prf->set_key(this->prf, nonces);
|
nonces = chunk_cat("cc", nonce_i, nonce_r);
|
||||||
this->prf->allocate_bytes(this->prf, secret, &skeyseed);
|
*((u_int64_t*)spi_i.ptr) = this->ike_sa_id->get_initiator_spi(this->ike_sa_id);
|
||||||
this->logger->log_chunk(this->logger, PRIVATE|LEVEL1, "SKEYSEED", skeyseed);
|
*((u_int64_t*)spi_r.ptr) = this->ike_sa_id->get_responder_spi(this->ike_sa_id);
|
||||||
chunk_free(&secret);
|
prf_plus_seed = chunk_cat("ccc", nonces, spi_i, spi_r);
|
||||||
|
|
||||||
/* prf+ (SKEYSEED, Ni | Nr | SPIi | SPIr )
|
/* KEYMAT = prf+ (SKEYSEED, Ni | Nr | SPIi | SPIr)
|
||||||
* = SK_d | SK_ai | SK_ar | SK_ei | SK_er | SK_pi | SK_pr
|
*
|
||||||
|
* if we are rekeying, SKEYSEED built on another way
|
||||||
*/
|
*/
|
||||||
this->prf->set_key(this->prf, skeyseed);
|
if (rekey_prf == NULL) /* not rekeying */
|
||||||
prf_plus = prf_plus_create(this->prf, nonces_spis);
|
{
|
||||||
|
/* SKEYSEED = prf(Ni | Nr, g^ir) */
|
||||||
/* clean up unused stuff */
|
this->prf->set_key(this->prf, nonces);
|
||||||
|
this->prf->allocate_bytes(this->prf, secret, &skeyseed);
|
||||||
|
this->logger->log_chunk(this->logger, PRIVATE|LEVEL1, "SKEYSEED", skeyseed);
|
||||||
|
this->prf->set_key(this->prf, skeyseed);
|
||||||
|
chunk_free(&skeyseed);
|
||||||
|
chunk_free(&secret);
|
||||||
|
prf_plus = prf_plus_create(this->prf, prf_plus_seed);
|
||||||
|
}
|
||||||
|
else
|
||||||
|
{
|
||||||
|
/* SKEYSEED = prf(SK_d (old), [g^ir (new)] | Ni | Nr) */
|
||||||
|
secret = chunk_cat("mc", secret, nonces);
|
||||||
|
rekey_prf->allocate_bytes(rekey_prf, secret, &skeyseed);
|
||||||
|
this->logger->log_chunk(this->logger, PRIVATE|LEVEL1, "SKEYSEED", skeyseed);
|
||||||
|
rekey_prf->set_key(rekey_prf, skeyseed); /* abuse of rekeyed SAs child_prf */
|
||||||
|
chunk_free(&skeyseed);
|
||||||
|
chunk_free(&secret);
|
||||||
|
prf_plus = prf_plus_create(rekey_prf, prf_plus_seed);
|
||||||
|
}
|
||||||
chunk_free(&nonces);
|
chunk_free(&nonces);
|
||||||
chunk_free(&nonces_spis);
|
chunk_free(&prf_plus_seed);
|
||||||
chunk_free(&skeyseed);
|
|
||||||
|
|
||||||
/* SK_d used for prf+ to derive keys for child SAs */
|
/* KEYMAT = SK_d | SK_ai | SK_ar | SK_ei | SK_er | SK_pi | SK_pr */
|
||||||
|
|
||||||
|
/* SK_d is used for generating CHILD_SA key mat => child_prf */
|
||||||
|
proposal->get_algorithm(proposal, PSEUDO_RANDOM_FUNCTION, &algo);
|
||||||
this->child_prf = prf_create(algo->algorithm);
|
this->child_prf = prf_create(algo->algorithm);
|
||||||
key_size = this->child_prf->get_key_size(this->child_prf);
|
key_size = this->child_prf->get_key_size(this->child_prf);
|
||||||
prf_plus->allocate_bytes(prf_plus, key_size, &key);
|
prf_plus->allocate_bytes(prf_plus, key_size, &key);
|
||||||
|
@ -1365,13 +1404,12 @@ static status_t build_transforms(private_ike_sa_t *this, proposal_t *proposal,
|
||||||
this->child_prf->set_key(this->child_prf, key);
|
this->child_prf->set_key(this->child_prf, key);
|
||||||
chunk_free(&key);
|
chunk_free(&key);
|
||||||
|
|
||||||
/* SK_ai/SK_ar used for integrity protection */
|
/* SK_ai/SK_ar used for integrity protection => signer_in/signer_out */
|
||||||
if (!proposal->get_algorithm(proposal, INTEGRITY_ALGORITHM, &algo))
|
if (!proposal->get_algorithm(proposal, INTEGRITY_ALGORITHM, &algo))
|
||||||
{
|
{
|
||||||
this->logger->log(this->logger, ERROR, "no INTEGRITY_ALGORITHM selected?!");
|
this->logger->log(this->logger, ERROR, "no INTEGRITY_ALGORITHM selected?!");
|
||||||
return FAILED;
|
return FAILED;
|
||||||
}
|
}
|
||||||
|
|
||||||
signer_i = signer_create(algo->algorithm);
|
signer_i = signer_create(algo->algorithm);
|
||||||
signer_r = signer_create(algo->algorithm);
|
signer_r = signer_create(algo->algorithm);
|
||||||
if (signer_i == NULL || signer_r == NULL)
|
if (signer_i == NULL || signer_r == NULL)
|
||||||
|
@ -1386,7 +1424,7 @@ static status_t build_transforms(private_ike_sa_t *this, proposal_t *proposal,
|
||||||
this->logger->log_chunk(this->logger, CONTROL|LEVEL1, "Sk_ai secret", key);
|
this->logger->log_chunk(this->logger, CONTROL|LEVEL1, "Sk_ai secret", key);
|
||||||
signer_i->set_key(signer_i, key);
|
signer_i->set_key(signer_i, key);
|
||||||
chunk_free(&key);
|
chunk_free(&key);
|
||||||
|
|
||||||
prf_plus->allocate_bytes(prf_plus, key_size, &key);
|
prf_plus->allocate_bytes(prf_plus, key_size, &key);
|
||||||
this->logger->log_chunk(this->logger, CONTROL|LEVEL1, "Sk_ar secret", key);
|
this->logger->log_chunk(this->logger, CONTROL|LEVEL1, "Sk_ar secret", key);
|
||||||
signer_r->set_key(signer_r, key);
|
signer_r->set_key(signer_r, key);
|
||||||
|
@ -1403,12 +1441,12 @@ static status_t build_transforms(private_ike_sa_t *this, proposal_t *proposal,
|
||||||
this->signer_out = signer_r;
|
this->signer_out = signer_r;
|
||||||
}
|
}
|
||||||
|
|
||||||
/* SK_ei/SK_er used for encryption */
|
/* SK_ei/SK_er used for encryption => crypter_in/crypter_out */
|
||||||
if (!proposal->get_algorithm(proposal, ENCRYPTION_ALGORITHM, &algo))
|
if (!proposal->get_algorithm(proposal, ENCRYPTION_ALGORITHM, &algo))
|
||||||
{
|
{
|
||||||
this->logger->log(this->logger, ERROR, "no ENCRYPTION_ALGORITHM selected!");
|
this->logger->log(this->logger, ERROR, "no ENCRYPTION_ALGORITHM selected!");
|
||||||
return FAILED;
|
return FAILED;
|
||||||
}
|
}
|
||||||
crypter_i = crypter_create(algo->algorithm, algo->key_size / 8);
|
crypter_i = crypter_create(algo->algorithm, algo->key_size / 8);
|
||||||
crypter_r = crypter_create(algo->algorithm, algo->key_size / 8);
|
crypter_r = crypter_create(algo->algorithm, algo->key_size / 8);
|
||||||
if (crypter_i == NULL || crypter_r == NULL)
|
if (crypter_i == NULL || crypter_r == NULL)
|
||||||
|
@ -1442,7 +1480,7 @@ static status_t build_transforms(private_ike_sa_t *this, proposal_t *proposal,
|
||||||
this->crypter_out = crypter_r;
|
this->crypter_out = crypter_r;
|
||||||
}
|
}
|
||||||
|
|
||||||
/* SK_pi/SK_pr used for authentication */
|
/* SK_pi/SK_pr used for authentication => prf_auth_i, prf_auth_r */
|
||||||
proposal->get_algorithm(proposal, PSEUDO_RANDOM_FUNCTION, &algo);
|
proposal->get_algorithm(proposal, PSEUDO_RANDOM_FUNCTION, &algo);
|
||||||
this->prf_auth_i = prf_create(algo->algorithm);
|
this->prf_auth_i = prf_create(algo->algorithm);
|
||||||
this->prf_auth_r = prf_create(algo->algorithm);
|
this->prf_auth_r = prf_create(algo->algorithm);
|
||||||
|
@ -1462,10 +1500,11 @@ static status_t build_transforms(private_ike_sa_t *this, proposal_t *proposal,
|
||||||
prf_plus->destroy(prf_plus);
|
prf_plus->destroy(prf_plus);
|
||||||
|
|
||||||
return SUCCESS;
|
return SUCCESS;
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Implementation of protected_ike_sa_t.add_child_sa.
|
* Implementation of ike_sa_t.add_child_sa.
|
||||||
*/
|
*/
|
||||||
static void add_child_sa(private_ike_sa_t *this, child_sa_t *child_sa)
|
static void add_child_sa(private_ike_sa_t *this, child_sa_t *child_sa)
|
||||||
{
|
{
|
||||||
|
@ -1473,7 +1512,7 @@ static void add_child_sa(private_ike_sa_t *this, child_sa_t *child_sa)
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Implementation of protected_ike_sa_t.has_child_sa.
|
* Implementation of ike_sa_t.has_child_sa.
|
||||||
*/
|
*/
|
||||||
static bool has_child_sa(private_ike_sa_t *this, u_int32_t reqid)
|
static bool has_child_sa(private_ike_sa_t *this, u_int32_t reqid)
|
||||||
{
|
{
|
||||||
|
@ -1495,7 +1534,7 @@ static bool has_child_sa(private_ike_sa_t *this, u_int32_t reqid)
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Implementation of protected_ike_sa_t.get_child_sa.
|
* Implementation of ike_sa_t.get_child_sa.
|
||||||
*/
|
*/
|
||||||
static child_sa_t* get_child_sa(private_ike_sa_t *this, protocol_id_t protocol,
|
static child_sa_t* get_child_sa(private_ike_sa_t *this, protocol_id_t protocol,
|
||||||
u_int32_t spi, bool inbound)
|
u_int32_t spi, bool inbound)
|
||||||
|
@ -1556,7 +1595,7 @@ static status_t delete_child_sa(private_ike_sa_t *this, protocol_id_t protocol,
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Implementation of protected_ike_sa_t.destroy_child_sa.
|
* Implementation of ike_sa_t.destroy_child_sa.
|
||||||
*/
|
*/
|
||||||
static status_t destroy_child_sa(private_ike_sa_t *this, protocol_id_t protocol, u_int32_t spi)
|
static status_t destroy_child_sa(private_ike_sa_t *this, protocol_id_t protocol, u_int32_t spi)
|
||||||
{
|
{
|
||||||
|
@ -1580,32 +1619,85 @@ static status_t destroy_child_sa(private_ike_sa_t *this, protocol_id_t protocol,
|
||||||
return status;
|
return status;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Implementation of ike_sa_t.set_lifetimes.
|
||||||
|
*/
|
||||||
|
static void set_lifetimes(private_ike_sa_t *this,
|
||||||
|
u_int32_t soft_lifetime, u_int32_t hard_lifetime)
|
||||||
|
{
|
||||||
|
job_t *job;
|
||||||
|
|
||||||
|
if (soft_lifetime)
|
||||||
|
{
|
||||||
|
this->time.rekey = this->time.established + soft_lifetime;
|
||||||
|
job = (job_t*)rekey_ike_sa_job_create(this->ike_sa_id);
|
||||||
|
charon->event_queue->add_relative(charon->event_queue, job,
|
||||||
|
soft_lifetime * 1000);
|
||||||
|
}
|
||||||
|
|
||||||
|
if (hard_lifetime)
|
||||||
|
{
|
||||||
|
this->time.delete = this->time.established + hard_lifetime;
|
||||||
|
job = (job_t*)delete_established_ike_sa_job_create(this->ike_sa_id);
|
||||||
|
charon->event_queue->add_relative(charon->event_queue, job,
|
||||||
|
hard_lifetime * 1000);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Implementation of protected_ike_sa_t.log_status.
|
* Implementation of ike_sa_t.rekey.
|
||||||
|
*/
|
||||||
|
static status_t rekey(private_ike_sa_t *this)
|
||||||
|
{
|
||||||
|
rekey_ike_sa_t *rekey_ike_sa;
|
||||||
|
|
||||||
|
this->logger->log(this->logger, CONTROL,
|
||||||
|
"rekeying IKE_SA between %s[%s]..%s[%s]",
|
||||||
|
this->my_host->get_string(this->my_host),
|
||||||
|
this->my_id->get_string(this->my_id),
|
||||||
|
this->other_host->get_string(this->other_host),
|
||||||
|
this->other_id->get_string(this->other_id));
|
||||||
|
|
||||||
|
if (this->state != IKE_ESTABLISHED)
|
||||||
|
{
|
||||||
|
this->logger->log(this->logger, ERROR,
|
||||||
|
"unable to rekey IKE_SA in state %s",
|
||||||
|
mapping_find(ike_sa_state_m, this->state));
|
||||||
|
return FAILED;
|
||||||
|
}
|
||||||
|
|
||||||
|
rekey_ike_sa = rekey_ike_sa_create(&this->public);
|
||||||
|
return queue_transaction(this, (transaction_t*)rekey_ike_sa, FALSE);
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Implementation of ike_sa_t.adopt_children.
|
||||||
|
*/
|
||||||
|
static void adopt_children(private_ike_sa_t *this, private_ike_sa_t *other)
|
||||||
|
{
|
||||||
|
child_sa_t *child_sa;
|
||||||
|
|
||||||
|
while (other->child_sas->remove_last(other->child_sas,
|
||||||
|
(void**)&child_sa) == SUCCESS)
|
||||||
|
{
|
||||||
|
this->child_sas->insert_first(this->child_sas, (void*)child_sa);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Implementation of ike_sa_t.log_status.
|
||||||
*/
|
*/
|
||||||
static void log_status(private_ike_sa_t *this, logger_t *logger, char *name)
|
static void log_status(private_ike_sa_t *this, logger_t *logger, char *name)
|
||||||
{
|
{
|
||||||
iterator_t *iterator;
|
iterator_t *iterator;
|
||||||
child_sa_t *child_sa;
|
child_sa_t *child_sa;
|
||||||
char *my_host, *other_host, *my_id, *other_id;
|
|
||||||
|
|
||||||
if (name == NULL || streq(name, this->name))
|
if (name == NULL || streq(name, this->name))
|
||||||
{
|
{
|
||||||
if (logger == NULL)
|
if (logger == NULL)
|
||||||
{
|
{
|
||||||
logger = this->logger;
|
logger = this->logger;
|
||||||
}
|
}
|
||||||
|
|
||||||
my_host = this->my_host ?
|
|
||||||
this->my_host->get_string(this->my_host) : "(unknown)";
|
|
||||||
other_host = this->other_host ?
|
|
||||||
this->other_host->get_string(this->other_host) : "(unknown)";
|
|
||||||
my_id = this->my_id ?
|
|
||||||
this->my_id->get_string(this->my_id) : "(unknown)";
|
|
||||||
other_id = this->other_id ?
|
|
||||||
this->other_id->get_string(this->other_id) : "(unknown)";
|
|
||||||
|
|
||||||
logger->log(logger, CONTROL|LEVEL1,
|
logger->log(logger, CONTROL|LEVEL1,
|
||||||
" \"%s\": IKE_SA in state %s, SPIs: 0x%.16llx 0x%.16llx",
|
" \"%s\": IKE_SA in state %s, SPIs: 0x%.16llx 0x%.16llx",
|
||||||
this->name,
|
this->name,
|
||||||
|
@ -1613,7 +1705,11 @@ static void log_status(private_ike_sa_t *this, logger_t *logger, char *name)
|
||||||
this->ike_sa_id->get_initiator_spi(this->ike_sa_id),
|
this->ike_sa_id->get_initiator_spi(this->ike_sa_id),
|
||||||
this->ike_sa_id->get_responder_spi(this->ike_sa_id));
|
this->ike_sa_id->get_responder_spi(this->ike_sa_id));
|
||||||
logger->log(logger, CONTROL, " \"%s\": %s[%s]...%s[%s]",
|
logger->log(logger, CONTROL, " \"%s\": %s[%s]...%s[%s]",
|
||||||
this->name, my_host, my_id, other_host, other_id);
|
this->name,
|
||||||
|
this->my_host->get_string(this->my_host),
|
||||||
|
this->my_id->get_string(this->my_id),
|
||||||
|
this->other_host->get_string(this->other_host),
|
||||||
|
this->other_id->get_string(this->other_id));
|
||||||
|
|
||||||
iterator = this->child_sas->create_iterator(this->child_sas, TRUE);
|
iterator = this->child_sas->create_iterator(this->child_sas, TRUE);
|
||||||
while (iterator->has_next(iterator))
|
while (iterator->has_next(iterator))
|
||||||
|
@ -1671,7 +1767,7 @@ static bool is_natt_enabled (private_ike_sa_t *this)
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Implementation of protected_ike_sa_t.enable_natt.
|
* Implementation of ike_sa_t.enable_natt.
|
||||||
*/
|
*/
|
||||||
static void enable_natt (private_ike_sa_t *this, bool local)
|
static void enable_natt (private_ike_sa_t *this, bool local)
|
||||||
{
|
{
|
||||||
|
@ -1691,13 +1787,12 @@ static void enable_natt (private_ike_sa_t *this, bool local)
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Implementation of protected_ike_sa_t.destroy.
|
* Implementation of ike_sa_t.destroy.
|
||||||
*/
|
*/
|
||||||
static void destroy(private_ike_sa_t *this)
|
static void destroy(private_ike_sa_t *this)
|
||||||
{
|
{
|
||||||
child_sa_t *child_sa;
|
child_sa_t *child_sa;
|
||||||
transaction_t *transaction;
|
transaction_t *transaction;
|
||||||
char *my_host, *other_host, *my_id, *other_id;
|
|
||||||
|
|
||||||
this->logger->log(this->logger, CONTROL|LEVEL2, "going to destroy IKE SA %llu:%llu, role %s",
|
this->logger->log(this->logger, CONTROL|LEVEL2, "going to destroy IKE SA %llu:%llu, role %s",
|
||||||
this->ike_sa_id->get_initiator_spi(this->ike_sa_id),
|
this->ike_sa_id->get_initiator_spi(this->ike_sa_id),
|
||||||
|
@ -1733,19 +1828,13 @@ static void destroy(private_ike_sa_t *this)
|
||||||
DESTROY_IF(this->child_prf);
|
DESTROY_IF(this->child_prf);
|
||||||
DESTROY_IF(this->prf_auth_i);
|
DESTROY_IF(this->prf_auth_i);
|
||||||
DESTROY_IF(this->prf_auth_r);
|
DESTROY_IF(this->prf_auth_r);
|
||||||
|
|
||||||
my_host = this->my_host ?
|
|
||||||
this->my_host->get_string(this->my_host) : "(unknown)";
|
|
||||||
other_host = this->other_host ?
|
|
||||||
this->other_host->get_string(this->other_host) : "(unknown)";
|
|
||||||
my_id = this->my_id ?
|
|
||||||
this->my_id->get_string(this->my_id) : "(unknown)";
|
|
||||||
other_id = this->other_id ?
|
|
||||||
this->other_id->get_string(this->other_id) : "(unknown)";
|
|
||||||
|
|
||||||
this->logger->log(this->logger, AUDIT,
|
this->logger->log(this->logger, AUDIT,
|
||||||
"IKE_SA deleted between %s[%s]...%s[%s]",
|
"IKE_SA deleted between %s[%s]...%s[%s]",
|
||||||
my_host, my_id, other_host, other_id);
|
this->my_host->get_string(this->my_host),
|
||||||
|
this->my_id->get_string(this->my_id),
|
||||||
|
this->other_host->get_string(this->other_host),
|
||||||
|
this->other_id->get_string(this->other_id));
|
||||||
|
|
||||||
DESTROY_IF(this->my_host);
|
DESTROY_IF(this->my_host);
|
||||||
DESTROY_IF(this->other_host);
|
DESTROY_IF(this->other_host);
|
||||||
|
@ -1776,7 +1865,9 @@ ike_sa_t * ike_sa_create(ike_sa_id_t *ike_sa_id)
|
||||||
this->public.acquire = (status_t(*)(ike_sa_t*,u_int32_t)) acquire;
|
this->public.acquire = (status_t(*)(ike_sa_t*,u_int32_t)) acquire;
|
||||||
this->public.get_id = (ike_sa_id_t*(*)(ike_sa_t*)) get_id;
|
this->public.get_id = (ike_sa_id_t*(*)(ike_sa_t*)) get_id;
|
||||||
this->public.get_my_host = (host_t*(*)(ike_sa_t*)) get_my_host;
|
this->public.get_my_host = (host_t*(*)(ike_sa_t*)) get_my_host;
|
||||||
|
this->public.set_my_host = (void(*)(ike_sa_t*,host_t*)) set_my_host;
|
||||||
this->public.get_other_host = (host_t*(*)(ike_sa_t*)) get_other_host;
|
this->public.get_other_host = (host_t*(*)(ike_sa_t*)) get_other_host;
|
||||||
|
this->public.set_other_host = (void(*)(ike_sa_t*,host_t*)) set_other_host;
|
||||||
this->public.get_my_id = (identification_t*(*)(ike_sa_t*)) get_my_id;
|
this->public.get_my_id = (identification_t*(*)(ike_sa_t*)) get_my_id;
|
||||||
this->public.set_my_id = (void(*)(ike_sa_t*,identification_t*)) set_my_id;
|
this->public.set_my_id = (void(*)(ike_sa_t*,identification_t*)) set_my_id;
|
||||||
this->public.get_other_id = (identification_t*(*)(ike_sa_t*)) get_other_id;
|
this->public.get_other_id = (identification_t*(*)(ike_sa_t*)) get_other_id;
|
||||||
|
@ -1792,7 +1883,7 @@ ike_sa_t * ike_sa_create(ike_sa_id_t *ike_sa_id)
|
||||||
this->public.get_child_prf = (prf_t *(*) (ike_sa_t *)) get_child_prf;
|
this->public.get_child_prf = (prf_t *(*) (ike_sa_t *)) get_child_prf;
|
||||||
this->public.get_prf_auth_i = (prf_t *(*) (ike_sa_t *)) get_prf_auth_i;
|
this->public.get_prf_auth_i = (prf_t *(*) (ike_sa_t *)) get_prf_auth_i;
|
||||||
this->public.get_prf_auth_r = (prf_t *(*) (ike_sa_t *)) get_prf_auth_r;
|
this->public.get_prf_auth_r = (prf_t *(*) (ike_sa_t *)) get_prf_auth_r;
|
||||||
this->public.build_transforms = (status_t (*) (ike_sa_t *,proposal_t*,diffie_hellman_t*,chunk_t,chunk_t,bool)) build_transforms;
|
this->public.derive_keys = (status_t (*) (ike_sa_t *,proposal_t*,diffie_hellman_t*,chunk_t,chunk_t,bool,prf_t*)) derive_keys;
|
||||||
this->public.add_child_sa = (void (*) (ike_sa_t*,child_sa_t*)) add_child_sa;
|
this->public.add_child_sa = (void (*) (ike_sa_t*,child_sa_t*)) add_child_sa;
|
||||||
this->public.has_child_sa = (bool(*)(ike_sa_t*,u_int32_t)) has_child_sa;
|
this->public.has_child_sa = (bool(*)(ike_sa_t*,u_int32_t)) has_child_sa;
|
||||||
this->public.get_child_sa = (child_sa_t* (*)(ike_sa_t*,protocol_id_t,u_int32_t,bool)) get_child_sa;
|
this->public.get_child_sa = (child_sa_t* (*)(ike_sa_t*,protocol_id_t,u_int32_t,bool)) get_child_sa;
|
||||||
|
@ -1801,6 +1892,9 @@ ike_sa_t * ike_sa_create(ike_sa_id_t *ike_sa_id)
|
||||||
this->public.destroy_child_sa = (status_t (*)(ike_sa_t*,protocol_id_t,u_int32_t))destroy_child_sa;
|
this->public.destroy_child_sa = (status_t (*)(ike_sa_t*,protocol_id_t,u_int32_t))destroy_child_sa;
|
||||||
this->public.enable_natt = (void(*)(ike_sa_t*, bool)) enable_natt;
|
this->public.enable_natt = (void(*)(ike_sa_t*, bool)) enable_natt;
|
||||||
this->public.is_natt_enabled = (bool(*)(ike_sa_t*)) is_natt_enabled;
|
this->public.is_natt_enabled = (bool(*)(ike_sa_t*)) is_natt_enabled;
|
||||||
|
this->public.set_lifetimes = (void(*)(ike_sa_t*,u_int32_t,u_int32_t))set_lifetimes;
|
||||||
|
this->public.rekey = (status_t(*)(ike_sa_t*))rekey;
|
||||||
|
this->public.adopt_children = (void(*)(ike_sa_t*,ike_sa_t*))adopt_children;
|
||||||
|
|
||||||
/* initialize private fields */
|
/* initialize private fields */
|
||||||
this->logger = logger_manager->get_logger(logger_manager, IKE_SA);
|
this->logger = logger_manager->get_logger(logger_manager, IKE_SA);
|
||||||
|
@ -1826,10 +1920,12 @@ ike_sa_t * ike_sa_create(ike_sa_id_t *ike_sa_id)
|
||||||
this->transaction_in_next = NULL;
|
this->transaction_in_next = NULL;
|
||||||
this->transaction_out = NULL;
|
this->transaction_out = NULL;
|
||||||
this->state = IKE_CREATED;
|
this->state = IKE_CREATED;
|
||||||
/* we start with message ID out, as ike_sa_init does not use this counter */
|
|
||||||
this->message_id_out = 0;
|
this->message_id_out = 0;
|
||||||
this->time_inbound = 0;
|
/* set to NOW, as when we rekey an existing IKE_SA no message is exchanged */
|
||||||
this->time_outbound = 0;
|
this->time.inbound = this->time.outbound = time(NULL);
|
||||||
|
this->time.established = 0;
|
||||||
|
this->time.rekey = 0;
|
||||||
|
this->time.delete = 0;
|
||||||
|
|
||||||
return &this->public;
|
return &this->public;
|
||||||
}
|
}
|
||||||
|
|
|
@ -177,6 +177,14 @@ struct ike_sa_t {
|
||||||
*/
|
*/
|
||||||
host_t* (*get_my_host) (ike_sa_t *this);
|
host_t* (*get_my_host) (ike_sa_t *this);
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @brief Set the own host address.
|
||||||
|
*
|
||||||
|
* @param this calling object
|
||||||
|
* @param me host address
|
||||||
|
*/
|
||||||
|
void (*set_my_host) (ike_sa_t *this, host_t *me);
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* @brief Get the other peers host address.
|
* @brief Get the other peers host address.
|
||||||
*
|
*
|
||||||
|
@ -185,6 +193,14 @@ struct ike_sa_t {
|
||||||
*/
|
*/
|
||||||
host_t* (*get_other_host) (ike_sa_t *this);
|
host_t* (*get_other_host) (ike_sa_t *this);
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @brief Set the others host address.
|
||||||
|
*
|
||||||
|
* @param this calling object
|
||||||
|
* @param other host address
|
||||||
|
*/
|
||||||
|
void (*set_other_host) (ike_sa_t *this, host_t *other);
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* @brief Get the own identification.
|
* @brief Get the own identification.
|
||||||
*
|
*
|
||||||
|
@ -389,22 +405,25 @@ struct ike_sa_t {
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* @brief Derive all keys and create the transforms for IKE communication.
|
* @brief Derive all keys and create the transforms for IKE communication.
|
||||||
*
|
*
|
||||||
* Keys are derived using the diffie hellman secret, nonces and internal
|
* Keys are derived using the diffie hellman secret, nonces and internal
|
||||||
* stored SPIs.
|
* stored SPIs.
|
||||||
* Already existing objects get destroyed.
|
* Key derivation differs when an IKE_SA is set up to replace an
|
||||||
*
|
* existing IKE_SA (rekeying). The SK_d key from the old IKE_SA
|
||||||
|
* is included in the derivation process.
|
||||||
|
*
|
||||||
* @param this calling object
|
* @param this calling object
|
||||||
* @param proposal proposal which contains algorithms to use
|
* @param proposal proposal which contains algorithms to use
|
||||||
* @param dh diffie hellman object with shared secret
|
* @param dh diffie hellman object with shared secret
|
||||||
* @param nonce_i initiators nonce
|
* @param nonce_i initiators nonce
|
||||||
* @param nonce_r responders nonce
|
* @param nonce_r responders nonce
|
||||||
* @param initiator role of this IKE SA (TRUE = originial initiator)
|
* @param initiator TRUE if initiator, FALSE otherwise
|
||||||
|
* @param rekey_prf PRF with SK_d key when rekeying, NULL otherwise
|
||||||
*/
|
*/
|
||||||
status_t (*build_transforms) (ike_sa_t *this, proposal_t* proposal,
|
status_t (*derive_keys)(ike_sa_t *this, proposal_t* proposal,
|
||||||
diffie_hellman_t *dh,
|
diffie_hellman_t *dh,
|
||||||
chunk_t nonce_i, chunk_t nonce_r,
|
chunk_t nonce_i, chunk_t nonce_r,
|
||||||
bool initiator);
|
bool initiator, prf_t *rekey_prf);
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* @brief Get the multi purpose prf.
|
* @brief Get the multi purpose prf.
|
||||||
|
@ -510,6 +529,42 @@ struct ike_sa_t {
|
||||||
* - SUCCESS
|
* - SUCCESS
|
||||||
*/
|
*/
|
||||||
status_t (*destroy_child_sa) (ike_sa_t *this, protocol_id_t protocol, u_int32_t spi);
|
status_t (*destroy_child_sa) (ike_sa_t *this, protocol_id_t protocol, u_int32_t spi);
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @brief Set lifetimes of an IKE_SA.
|
||||||
|
*
|
||||||
|
* Two lifetimes are specified. The soft_lifetime says, when rekeying should
|
||||||
|
* be initiated. The hard_lifetime says, when the IKE_SA has been expired
|
||||||
|
* and must be deleted. Normally, hard_lifetime > soft_lifetime, and
|
||||||
|
* hard_lifetime is only reached when rekeying at soft_lifetime fails.
|
||||||
|
*
|
||||||
|
* @param this calling object
|
||||||
|
* @param soft_lifetime soft_lifetime
|
||||||
|
* @param hard_lifetime hard_lifetime
|
||||||
|
*/
|
||||||
|
void (*set_lifetimes) (ike_sa_t *this,
|
||||||
|
u_int32_t soft_lifetime, u_int32_t hard_lifetime);
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @brief Rekey the IKE_SA.
|
||||||
|
*
|
||||||
|
* Sets up a new IKE_SA, moves all CHILDs to it and deletes this IKE_SA.
|
||||||
|
*
|
||||||
|
* @param this calling object
|
||||||
|
* @return - SUCCESS, if IKE_SA rekeying initiated
|
||||||
|
*/
|
||||||
|
status_t (*rekey) (ike_sa_t *this);
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @brief Move all children from other IKE_SA to this IKE_SA.
|
||||||
|
*
|
||||||
|
* After rekeying completes, all children are switched over to the
|
||||||
|
* newly created IKE_SA.
|
||||||
|
*
|
||||||
|
* @param this stepfather
|
||||||
|
* @param other deceased (rekeyed) IKE_SA
|
||||||
|
*/
|
||||||
|
void (*adopt_children) (ike_sa_t *this, ike_sa_t *other);
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* @brief Destroys a ike_sa_t object.
|
* @brief Destroys a ike_sa_t object.
|
||||||
|
|
|
@ -402,7 +402,8 @@ static ike_sa_t* checkout_by_ids(private_ike_sa_manager_t *this,
|
||||||
found_my_id = entry->ike_sa->get_my_id(entry->ike_sa);
|
found_my_id = entry->ike_sa->get_my_id(entry->ike_sa);
|
||||||
found_other_id = entry->ike_sa->get_other_id(entry->ike_sa);
|
found_other_id = entry->ike_sa->get_other_id(entry->ike_sa);
|
||||||
|
|
||||||
if (!found_my_id || !found_other_id)
|
if (found_my_id->get_type(found_my_id) == ID_ANY &&
|
||||||
|
found_other_id->get_type(found_other_id) == ID_ANY)
|
||||||
{
|
{
|
||||||
/* IKE_SA has no IDs yet, so we can't use it */
|
/* IKE_SA has no IDs yet, so we can't use it */
|
||||||
continue;
|
continue;
|
||||||
|
@ -447,7 +448,7 @@ static ike_sa_t* checkout_by_ids(private_ike_sa_manager_t *this,
|
||||||
"new IKE_SA created for IDs %s - %s",
|
"new IKE_SA created for IDs %s - %s",
|
||||||
my_id->get_string(my_id), other_id->get_string(other_id));
|
my_id->get_string(my_id), other_id->get_string(other_id));
|
||||||
new_ike_sa_entry->checked_out = TRUE;
|
new_ike_sa_entry->checked_out = TRUE;
|
||||||
ike_sa = new_ike_sa_entry->ike_sa;
|
ike_sa = new_ike_sa_entry->ike_sa;
|
||||||
}
|
}
|
||||||
pthread_mutex_unlock(&(this->mutex));
|
pthread_mutex_unlock(&(this->mutex));
|
||||||
|
|
||||||
|
@ -476,8 +477,8 @@ static ike_sa_t* checkout(private_ike_sa_manager_t *this, ike_sa_id_t *ike_sa_id
|
||||||
/* each access is locked */
|
/* each access is locked */
|
||||||
pthread_mutex_lock(&(this->mutex));
|
pthread_mutex_lock(&(this->mutex));
|
||||||
|
|
||||||
responder_spi_set = (FALSE != ike_sa_id->get_responder_spi(ike_sa_id));
|
responder_spi_set = ike_sa_id->get_responder_spi(ike_sa_id);
|
||||||
initiator_spi_set = (FALSE != ike_sa_id->get_initiator_spi(ike_sa_id));
|
initiator_spi_set = ike_sa_id->get_initiator_spi(ike_sa_id);
|
||||||
original_initiator = ike_sa_id->is_initiator(ike_sa_id);
|
original_initiator = ike_sa_id->is_initiator(ike_sa_id);
|
||||||
|
|
||||||
if ((initiator_spi_set && responder_spi_set) ||
|
if ((initiator_spi_set && responder_spi_set) ||
|
||||||
|
@ -523,7 +524,6 @@ static ike_sa_t* checkout(private_ike_sa_manager_t *this, ike_sa_id_t *ike_sa_id
|
||||||
u_int64_t responder_spi;
|
u_int64_t responder_spi;
|
||||||
ike_sa_entry_t *new_ike_sa_entry;
|
ike_sa_entry_t *new_ike_sa_entry;
|
||||||
|
|
||||||
|
|
||||||
/* set SPIs, we are the responder */
|
/* set SPIs, we are the responder */
|
||||||
responder_spi = this->get_next_spi(this);
|
responder_spi = this->get_next_spi(this);
|
||||||
|
|
||||||
|
@ -541,6 +541,26 @@ static ike_sa_t* checkout(private_ike_sa_manager_t *this, ike_sa_id_t *ike_sa_id
|
||||||
new_ike_sa_entry->checked_out = TRUE;
|
new_ike_sa_entry->checked_out = TRUE;
|
||||||
ike_sa = new_ike_sa_entry->ike_sa;
|
ike_sa = new_ike_sa_entry->ike_sa;
|
||||||
}
|
}
|
||||||
|
else if (!initiator_spi_set && !responder_spi_set && original_initiator)
|
||||||
|
{
|
||||||
|
/* checkout of a new and unused IKE_SA, used for rekeying */
|
||||||
|
ike_sa_entry_t *new_ike_sa_entry;
|
||||||
|
|
||||||
|
ike_sa_id->set_initiator_spi(ike_sa_id, this->get_next_spi(this));
|
||||||
|
/* create entry */
|
||||||
|
new_ike_sa_entry = ike_sa_entry_create(ike_sa_id);
|
||||||
|
this->logger->log(this->logger, CONTROL|LEVEL2,
|
||||||
|
"created IKE_SA %llx:%llx, role %s",
|
||||||
|
ike_sa_id->get_initiator_spi(ike_sa_id),
|
||||||
|
ike_sa_id->get_responder_spi(ike_sa_id),
|
||||||
|
ike_sa_id->is_initiator(ike_sa_id) ? "initiator" : "responder");
|
||||||
|
|
||||||
|
this->ike_sa_list->insert_last(this->ike_sa_list, new_ike_sa_entry);
|
||||||
|
|
||||||
|
/* check ike_sa out */
|
||||||
|
new_ike_sa_entry->checked_out = TRUE;
|
||||||
|
ike_sa = new_ike_sa_entry->ike_sa;
|
||||||
|
}
|
||||||
else
|
else
|
||||||
{
|
{
|
||||||
/* responder set, initiator not: here is something seriously wrong! */
|
/* responder set, initiator not: here is something seriously wrong! */
|
||||||
|
@ -829,7 +849,7 @@ static status_t delete_(private_ike_sa_manager_t *this, ike_sa_id_t *ike_sa_id)
|
||||||
}
|
}
|
||||||
else
|
else
|
||||||
{
|
{
|
||||||
this->logger->log(this->logger,ERROR,
|
this->logger->log(this->logger,ERROR|LEVEL1,
|
||||||
"tried to delete nonexisting IKE_SA");
|
"tried to delete nonexisting IKE_SA");
|
||||||
retval = NOT_FOUND;
|
retval = NOT_FOUND;
|
||||||
}
|
}
|
||||||
|
|
|
@ -187,6 +187,20 @@ static void destroy_ts_list(linked_list_t *list)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* destroy a list of proposals
|
||||||
|
*/
|
||||||
|
static void destroy_proposal_list(linked_list_t *list)
|
||||||
|
{
|
||||||
|
proposal_t *proposal;
|
||||||
|
|
||||||
|
while (list->remove_last(list, (void**)&proposal) == SUCCESS)
|
||||||
|
{
|
||||||
|
proposal->destroy(proposal);
|
||||||
|
}
|
||||||
|
list->destroy(list);
|
||||||
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Implementation of transaction_t.get_request.
|
* Implementation of transaction_t.get_request.
|
||||||
*/
|
*/
|
||||||
|
@ -280,6 +294,7 @@ static status_t get_request(private_create_child_sa_t *this, message_t **result)
|
||||||
return FAILED;
|
return FAILED;
|
||||||
}
|
}
|
||||||
sa_payload = sa_payload_create_from_proposal_list(proposals);
|
sa_payload = sa_payload_create_from_proposal_list(proposals);
|
||||||
|
destroy_proposal_list(proposals);
|
||||||
request->add_payload(request, (payload_t*)sa_payload);
|
request->add_payload(request, (payload_t*)sa_payload);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -628,7 +643,6 @@ static status_t get_response(private_create_child_sa_t *this, message_t *request
|
||||||
}
|
}
|
||||||
|
|
||||||
{ /* process SA payload */
|
{ /* process SA payload */
|
||||||
proposal_t *proposal;
|
|
||||||
linked_list_t *proposal_list;
|
linked_list_t *proposal_list;
|
||||||
sa_payload_t *sa_response;
|
sa_payload_t *sa_response;
|
||||||
ts_payload_t *ts_response;
|
ts_payload_t *ts_response;
|
||||||
|
@ -640,13 +654,8 @@ static status_t get_response(private_create_child_sa_t *this, message_t *request
|
||||||
proposal_list = sa_request->get_proposals(sa_request);
|
proposal_list = sa_request->get_proposals(sa_request);
|
||||||
this->logger->log(this->logger, CONTROL|LEVEL1, "selecting proposals:");
|
this->logger->log(this->logger, CONTROL|LEVEL1, "selecting proposals:");
|
||||||
this->proposal = this->policy->select_proposal(this->policy, proposal_list);
|
this->proposal = this->policy->select_proposal(this->policy, proposal_list);
|
||||||
/* list is not needed anymore */
|
destroy_proposal_list(proposal_list);
|
||||||
while (proposal_list->remove_last(proposal_list, (void**)&proposal) == SUCCESS)
|
|
||||||
{
|
|
||||||
proposal->destroy(proposal);
|
|
||||||
}
|
|
||||||
proposal_list->destroy(proposal_list);
|
|
||||||
|
|
||||||
/* do we have a proposal? */
|
/* do we have a proposal? */
|
||||||
if (this->proposal == NULL)
|
if (this->proposal == NULL)
|
||||||
{
|
{
|
||||||
|
@ -814,18 +823,12 @@ static status_t conclude(private_create_child_sa_t *this, message_t *response,
|
||||||
}
|
}
|
||||||
|
|
||||||
{ /* process sa payload */
|
{ /* process sa payload */
|
||||||
proposal_t *proposal;
|
|
||||||
linked_list_t *proposal_list;
|
linked_list_t *proposal_list;
|
||||||
|
|
||||||
proposal_list = sa_payload->get_proposals(sa_payload);
|
proposal_list = sa_payload->get_proposals(sa_payload);
|
||||||
/* we have to re-check here if other's selection is valid */
|
/* we have to re-check here if other's selection is valid */
|
||||||
this->proposal = this->policy->select_proposal(this->policy, proposal_list);
|
this->proposal = this->policy->select_proposal(this->policy, proposal_list);
|
||||||
/* list not needed anymore */
|
destroy_proposal_list(proposal_list);
|
||||||
while (proposal_list->remove_last(proposal_list, (void**)&proposal) == SUCCESS)
|
|
||||||
{
|
|
||||||
proposal->destroy(proposal);
|
|
||||||
}
|
|
||||||
proposal_list->destroy(proposal_list);
|
|
||||||
|
|
||||||
/* everything fine to create CHILD? */
|
/* everything fine to create CHILD? */
|
||||||
if (this->proposal == NULL ||
|
if (this->proposal == NULL ||
|
||||||
|
|
|
@ -191,6 +191,20 @@ static void destroy_ts_list(linked_list_t *list)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* destroy a list of proposals
|
||||||
|
*/
|
||||||
|
static void destroy_proposal_list(linked_list_t *list)
|
||||||
|
{
|
||||||
|
proposal_t *proposal;
|
||||||
|
|
||||||
|
while (list->remove_last(list, (void**)&proposal) == SUCCESS)
|
||||||
|
{
|
||||||
|
proposal->destroy(proposal);
|
||||||
|
}
|
||||||
|
list->destroy(list);
|
||||||
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Implementation of transaction_t.get_request.
|
* Implementation of transaction_t.get_request.
|
||||||
*/
|
*/
|
||||||
|
@ -298,6 +312,7 @@ static status_t get_request(private_ike_auth_t *this, message_t **result)
|
||||||
return DESTROY_ME;
|
return DESTROY_ME;
|
||||||
}
|
}
|
||||||
sa_payload = sa_payload_create_from_proposal_list(proposal_list);
|
sa_payload = sa_payload_create_from_proposal_list(proposal_list);
|
||||||
|
destroy_proposal_list(proposal_list);
|
||||||
request->add_payload(request, (payload_t*)sa_payload);
|
request->add_payload(request, (payload_t*)sa_payload);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -717,7 +732,6 @@ static status_t get_response(private_ike_auth_t *this, message_t *request,
|
||||||
}
|
}
|
||||||
|
|
||||||
{ /* process SA payload */
|
{ /* process SA payload */
|
||||||
proposal_t *proposal;
|
|
||||||
linked_list_t *proposal_list;
|
linked_list_t *proposal_list;
|
||||||
sa_payload_t *sa_response;
|
sa_payload_t *sa_response;
|
||||||
ts_payload_t *ts_response;
|
ts_payload_t *ts_response;
|
||||||
|
@ -731,12 +745,7 @@ static status_t get_response(private_ike_auth_t *this, message_t *request,
|
||||||
proposal_list = sa_request->get_proposals(sa_request);
|
proposal_list = sa_request->get_proposals(sa_request);
|
||||||
this->logger->log(this->logger, CONTROL|LEVEL1, "selecting proposals:");
|
this->logger->log(this->logger, CONTROL|LEVEL1, "selecting proposals:");
|
||||||
this->proposal = this->policy->select_proposal(this->policy, proposal_list);
|
this->proposal = this->policy->select_proposal(this->policy, proposal_list);
|
||||||
/* list is not needed anymore */
|
destroy_proposal_list(proposal_list);
|
||||||
while (proposal_list->remove_last(proposal_list, (void**)&proposal) == SUCCESS)
|
|
||||||
{
|
|
||||||
proposal->destroy(proposal);
|
|
||||||
}
|
|
||||||
proposal_list->destroy(proposal_list);
|
|
||||||
|
|
||||||
/* do we have a proposal? */
|
/* do we have a proposal? */
|
||||||
if (this->proposal == NULL)
|
if (this->proposal == NULL)
|
||||||
|
@ -929,18 +938,12 @@ static status_t conclude(private_ike_auth_t *this, message_t *response,
|
||||||
}
|
}
|
||||||
|
|
||||||
{ /* process sa payload */
|
{ /* process sa payload */
|
||||||
proposal_t *proposal;
|
|
||||||
linked_list_t *proposal_list;
|
linked_list_t *proposal_list;
|
||||||
|
|
||||||
proposal_list = sa_payload->get_proposals(sa_payload);
|
proposal_list = sa_payload->get_proposals(sa_payload);
|
||||||
/* we have to re-check here if other's selection is valid */
|
/* we have to re-check here if other's selection is valid */
|
||||||
this->proposal = this->policy->select_proposal(this->policy, proposal_list);
|
this->proposal = this->policy->select_proposal(this->policy, proposal_list);
|
||||||
/* list not needed anymore */
|
destroy_proposal_list(proposal_list);
|
||||||
while (proposal_list->remove_last(proposal_list, (void**)&proposal) == SUCCESS)
|
|
||||||
{
|
|
||||||
proposal->destroy(proposal);
|
|
||||||
}
|
|
||||||
proposal_list->destroy(proposal_list);
|
|
||||||
|
|
||||||
/* everything fine to create CHILD? */
|
/* everything fine to create CHILD? */
|
||||||
if (this->proposal == NULL ||
|
if (this->proposal == NULL ||
|
||||||
|
|
|
@ -34,6 +34,8 @@
|
||||||
#include <encoding/payloads/nonce_payload.h>
|
#include <encoding/payloads/nonce_payload.h>
|
||||||
#include <sa/transactions/ike_auth.h>
|
#include <sa/transactions/ike_auth.h>
|
||||||
#include <queues/jobs/delete_half_open_ike_sa_job.h>
|
#include <queues/jobs/delete_half_open_ike_sa_job.h>
|
||||||
|
#include <queues/jobs/delete_established_ike_sa_job.h>
|
||||||
|
#include <queues/jobs/rekey_ike_sa_job.h>
|
||||||
|
|
||||||
|
|
||||||
typedef struct private_ike_sa_init_t private_ike_sa_init_t;
|
typedef struct private_ike_sa_init_t private_ike_sa_init_t;
|
||||||
|
@ -262,6 +264,20 @@ static notify_payload_t *build_natd_payload(private_ike_sa_init_t *this,
|
||||||
return notify;
|
return notify;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* destroy a list of proposals
|
||||||
|
*/
|
||||||
|
static void destroy_proposal_list(linked_list_t *list)
|
||||||
|
{
|
||||||
|
proposal_t *proposal;
|
||||||
|
|
||||||
|
while (list->remove_last(list, (void**)&proposal) == SUCCESS)
|
||||||
|
{
|
||||||
|
proposal->destroy(proposal);
|
||||||
|
}
|
||||||
|
list->destroy(list);
|
||||||
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Implementation of transaction_t.get_request.
|
* Implementation of transaction_t.get_request.
|
||||||
*/
|
*/
|
||||||
|
@ -323,6 +339,7 @@ static status_t get_request(private_ike_sa_init_t *this, message_t **result)
|
||||||
|
|
||||||
proposal_list = this->connection->get_proposals(this->connection);
|
proposal_list = this->connection->get_proposals(this->connection);
|
||||||
sa_payload = sa_payload_create_from_proposal_list(proposal_list);
|
sa_payload = sa_payload_create_from_proposal_list(proposal_list);
|
||||||
|
destroy_proposal_list(proposal_list);
|
||||||
|
|
||||||
request->add_payload(request, (payload_t*)sa_payload);
|
request->add_payload(request, (payload_t*)sa_payload);
|
||||||
}
|
}
|
||||||
|
@ -619,15 +636,10 @@ static status_t get_response(private_ike_sa_init_t *this,
|
||||||
*/
|
*/
|
||||||
sa_payload_t* sa_response;
|
sa_payload_t* sa_response;
|
||||||
linked_list_t *proposal_list;
|
linked_list_t *proposal_list;
|
||||||
proposal_t *proposal;
|
|
||||||
|
|
||||||
proposal_list = sa_request->get_proposals(sa_request);
|
proposal_list = sa_request->get_proposals(sa_request);
|
||||||
this->proposal = this->connection->select_proposal(this->connection, proposal_list);
|
this->proposal = this->connection->select_proposal(this->connection, proposal_list);
|
||||||
while(proposal_list->remove_last(proposal_list, (void**)&proposal) == SUCCESS)
|
destroy_proposal_list(proposal_list);
|
||||||
{
|
|
||||||
proposal->destroy(proposal);
|
|
||||||
}
|
|
||||||
proposal_list->destroy(proposal_list);
|
|
||||||
if (this->proposal == NULL)
|
if (this->proposal == NULL)
|
||||||
{
|
{
|
||||||
notify_payload_t *notify = notify_payload_create();
|
notify_payload_t *notify = notify_payload_create();
|
||||||
|
@ -760,10 +772,10 @@ static status_t get_response(private_ike_sa_init_t *this,
|
||||||
}
|
}
|
||||||
|
|
||||||
/* derive all the keys used in the IKE_SA */
|
/* derive all the keys used in the IKE_SA */
|
||||||
if (this->ike_sa->build_transforms(this->ike_sa, this->proposal,
|
if (this->ike_sa->derive_keys(this->ike_sa, this->proposal,
|
||||||
this->diffie_hellman,
|
this->diffie_hellman,
|
||||||
this->nonce_i, this->nonce_r,
|
this->nonce_i, this->nonce_r,
|
||||||
FALSE) != SUCCESS)
|
FALSE, NULL) != SUCCESS)
|
||||||
{
|
{
|
||||||
notify_payload_t *notify = notify_payload_create();
|
notify_payload_t *notify = notify_payload_create();
|
||||||
notify->set_notify_type(notify, NO_PROPOSAL_CHOSEN);
|
notify->set_notify_type(notify, NO_PROPOSAL_CHOSEN);
|
||||||
|
@ -773,6 +785,10 @@ static status_t get_response(private_ike_sa_init_t *this,
|
||||||
return DESTROY_ME;
|
return DESTROY_ME;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
this->ike_sa->set_lifetimes(this->ike_sa,
|
||||||
|
this->connection->get_soft_lifetime(this->connection),
|
||||||
|
this->connection->get_hard_lifetime(this->connection));
|
||||||
|
|
||||||
{ /* create ike_auth transaction, which will store informations for us */
|
{ /* create ike_auth transaction, which will store informations for us */
|
||||||
packet_t *response_packet;
|
packet_t *response_packet;
|
||||||
chunk_t request_chunk, response_chunk;
|
chunk_t request_chunk, response_chunk;
|
||||||
|
@ -812,6 +828,7 @@ static status_t get_response(private_ike_sa_init_t *this,
|
||||||
}
|
}
|
||||||
/* set new state */
|
/* set new state */
|
||||||
this->ike_sa->set_state(this->ike_sa, IKE_CONNECTING);
|
this->ike_sa->set_state(this->ike_sa, IKE_CONNECTING);
|
||||||
|
|
||||||
return SUCCESS;
|
return SUCCESS;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -941,11 +958,7 @@ static status_t conclude(private_ike_sa_init_t *this, message_t *response,
|
||||||
|
|
||||||
/* we have to re-check if the others selection is valid */
|
/* we have to re-check if the others selection is valid */
|
||||||
this->proposal = this->connection->select_proposal(this->connection, proposal_list);
|
this->proposal = this->connection->select_proposal(this->connection, proposal_list);
|
||||||
while (proposal_list->remove_last(proposal_list, (void**)&proposal) == SUCCESS)
|
destroy_proposal_list(proposal_list);
|
||||||
{
|
|
||||||
proposal->destroy(proposal);
|
|
||||||
}
|
|
||||||
proposal_list->destroy(proposal_list);
|
|
||||||
|
|
||||||
if (this->proposal == NULL)
|
if (this->proposal == NULL)
|
||||||
{
|
{
|
||||||
|
@ -1003,16 +1016,20 @@ static status_t conclude(private_ike_sa_init_t *this, message_t *response,
|
||||||
ike_sa_id->set_responder_spi(ike_sa_id, responder_spi);
|
ike_sa_id->set_responder_spi(ike_sa_id, responder_spi);
|
||||||
|
|
||||||
/* derive all the keys used in the IKE_SA */
|
/* derive all the keys used in the IKE_SA */
|
||||||
if (this->ike_sa->build_transforms(this->ike_sa, this->proposal,
|
if (this->ike_sa->derive_keys(this->ike_sa, this->proposal,
|
||||||
this->diffie_hellman,
|
this->diffie_hellman,
|
||||||
this->nonce_i, this->nonce_r,
|
this->nonce_i, this->nonce_r,
|
||||||
TRUE) != SUCCESS)
|
TRUE, NULL) != SUCCESS)
|
||||||
{
|
{
|
||||||
this->logger->log(this->logger, AUDIT,
|
this->logger->log(this->logger, AUDIT,
|
||||||
"transform objects could not be created from selected proposal, deleting IKE_SA");
|
"transform objects could not be created from selected proposal, deleting IKE_SA");
|
||||||
return DESTROY_ME;
|
return DESTROY_ME;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
this->ike_sa->set_lifetimes(this->ike_sa,
|
||||||
|
this->connection->get_soft_lifetime(this->connection),
|
||||||
|
this->connection->get_hard_lifetime(this->connection));
|
||||||
|
|
||||||
{ /* create ike_auth transaction, which will continue IKE_SA setup */
|
{ /* create ike_auth transaction, which will continue IKE_SA setup */
|
||||||
chunk_t request_chunk, response_chunk;
|
chunk_t request_chunk, response_chunk;
|
||||||
ike_auth_t *ike_auth;
|
ike_auth_t *ike_auth;
|
||||||
|
|
|
@ -0,0 +1,800 @@
|
||||||
|
/**
|
||||||
|
* @file rekey_ike_sa.c
|
||||||
|
*
|
||||||
|
* @brief Implementation of rekey_ike_sa_t transaction.
|
||||||
|
*
|
||||||
|
*/
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Copyright (C) 2006 Martin Willi
|
||||||
|
* Hochschule fuer Technik Rapperswil
|
||||||
|
*
|
||||||
|
* This program is free software; you can redistribute it and/or modify it
|
||||||
|
* under the terms of the GNU General Public License as published by the
|
||||||
|
* Free Software Foundation; either version 2 of the License, or (at your
|
||||||
|
* option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
|
||||||
|
*
|
||||||
|
* This program is distributed in the hope that it will be useful, but
|
||||||
|
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
|
||||||
|
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
|
||||||
|
* for more details.
|
||||||
|
*/
|
||||||
|
|
||||||
|
#include "rekey_ike_sa.h"
|
||||||
|
|
||||||
|
#include <string.h>
|
||||||
|
|
||||||
|
#include <daemon.h>
|
||||||
|
#include <encoding/payloads/sa_payload.h>
|
||||||
|
#include <encoding/payloads/nonce_payload.h>
|
||||||
|
#include <encoding/payloads/ke_payload.h>
|
||||||
|
#include <sa/transactions/delete_ike_sa.h>
|
||||||
|
#include <utils/randomizer.h>
|
||||||
|
|
||||||
|
|
||||||
|
typedef struct private_rekey_ike_sa_t private_rekey_ike_sa_t;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Private members of a rekey_ike_sa_t object..
|
||||||
|
*/
|
||||||
|
struct private_rekey_ike_sa_t {
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Public methods and transaction_t interface.
|
||||||
|
*/
|
||||||
|
rekey_ike_sa_t public;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Assigned IKE_SA.
|
||||||
|
*/
|
||||||
|
ike_sa_t *ike_sa;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Message sent by our peer, if already generated
|
||||||
|
*/
|
||||||
|
message_t *message;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Message ID this transaction uses
|
||||||
|
*/
|
||||||
|
u_int32_t message_id;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Times we did send the request
|
||||||
|
*/
|
||||||
|
u_int32_t requested;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* IKE_SA we set up, replaces ike_sa
|
||||||
|
*/
|
||||||
|
ike_sa_t *new_sa;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Connection used to replace IKE_SA
|
||||||
|
*/
|
||||||
|
connection_t *connection;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* initiator chosen nonce
|
||||||
|
*/
|
||||||
|
chunk_t nonce_i;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* responder chosen nonce
|
||||||
|
*/
|
||||||
|
chunk_t nonce_r;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* lower of the nonces of a simultaneus rekeying request
|
||||||
|
*/
|
||||||
|
chunk_t nonce_s;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Diffie hellman to generate new shared secret
|
||||||
|
*/
|
||||||
|
diffie_hellman_t *diffie_hellman;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* negotiated proposal to use
|
||||||
|
*/
|
||||||
|
proposal_t *proposal;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Have we lost the simultaneous rekeying nonce compare?
|
||||||
|
*/
|
||||||
|
bool lost;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* source of randomness for nonces
|
||||||
|
*/
|
||||||
|
randomizer_t *randomizer;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* next transaction processed by the IKE_SA
|
||||||
|
*/
|
||||||
|
transaction_t **next;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Assigned logger.
|
||||||
|
*/
|
||||||
|
logger_t *logger;
|
||||||
|
};
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Implementation of transaction_t.get_message_id.
|
||||||
|
*/
|
||||||
|
static u_int32_t get_message_id(private_rekey_ike_sa_t *this)
|
||||||
|
{
|
||||||
|
return this->message_id;
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Implementation of transaction_t.requested.
|
||||||
|
*/
|
||||||
|
static u_int32_t requested(private_rekey_ike_sa_t *this)
|
||||||
|
{
|
||||||
|
return this->requested++;
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Implementation of rekey_ike_sa_t.use_dh_group.
|
||||||
|
*/
|
||||||
|
static bool use_dh_group(private_rekey_ike_sa_t *this, diffie_hellman_group_t dh_group)
|
||||||
|
{
|
||||||
|
if (this->connection->check_dh_group(this->connection, dh_group))
|
||||||
|
{
|
||||||
|
this->diffie_hellman = diffie_hellman_create(dh_group);
|
||||||
|
if (this->diffie_hellman)
|
||||||
|
{
|
||||||
|
return TRUE;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return FALSE;
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Implementation of rekey_ike_sa_t.cancel.
|
||||||
|
*/
|
||||||
|
static void cancel(private_rekey_ike_sa_t *this)
|
||||||
|
{
|
||||||
|
this->lost = TRUE;
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* destroy a list of proposals
|
||||||
|
*/
|
||||||
|
static void destroy_proposal_list(linked_list_t *list)
|
||||||
|
{
|
||||||
|
proposal_t *proposal;
|
||||||
|
|
||||||
|
while (list->remove_last(list, (void**)&proposal) == SUCCESS)
|
||||||
|
{
|
||||||
|
proposal->destroy(proposal);
|
||||||
|
}
|
||||||
|
list->destroy(list);
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Implementation of transaction_t.get_request.
|
||||||
|
*/
|
||||||
|
static status_t get_request(private_rekey_ike_sa_t *this, message_t **result)
|
||||||
|
{
|
||||||
|
message_t *request;
|
||||||
|
host_t *me, *other;
|
||||||
|
|
||||||
|
/* check if we already have built a message (retransmission) */
|
||||||
|
if (this->message)
|
||||||
|
{
|
||||||
|
*result = this->message;
|
||||||
|
return SUCCESS;
|
||||||
|
}
|
||||||
|
|
||||||
|
me = this->ike_sa->get_my_host(this->ike_sa);
|
||||||
|
other = this->ike_sa->get_other_host(this->ike_sa);
|
||||||
|
|
||||||
|
/* build the request */
|
||||||
|
request = message_create();
|
||||||
|
request->set_source(request, me->clone(me));
|
||||||
|
request->set_destination(request, other->clone(other));
|
||||||
|
request->set_exchange_type(request, CREATE_CHILD_SA);
|
||||||
|
request->set_request(request, TRUE);
|
||||||
|
request->set_ike_sa_id(request, this->ike_sa->get_id(this->ike_sa));
|
||||||
|
*result = request;
|
||||||
|
this->message = request;
|
||||||
|
|
||||||
|
{ /* build SA payload */
|
||||||
|
sa_payload_t *sa_payload;
|
||||||
|
linked_list_t *proposals;
|
||||||
|
ike_sa_id_t *ike_sa_id;
|
||||||
|
iterator_t *iterator;
|
||||||
|
proposal_t *proposal;
|
||||||
|
u_int64_t spi;
|
||||||
|
|
||||||
|
/* get a connection to replace current IKE_SA */
|
||||||
|
this->connection = charon->connections->get_connection_by_name(
|
||||||
|
charon->connections,
|
||||||
|
this->ike_sa->get_name(this->ike_sa));
|
||||||
|
/* if connection lookup by name fails, try it with the hosts */
|
||||||
|
if (this->connection == NULL)
|
||||||
|
{
|
||||||
|
this->connection = charon->connections->get_connection_by_hosts(
|
||||||
|
charon->connections,
|
||||||
|
me, other);
|
||||||
|
if (this->connection == NULL)
|
||||||
|
{
|
||||||
|
this->logger->log(this->logger, ERROR,
|
||||||
|
"no connection found to rekey IKE_SA");
|
||||||
|
return FAILED;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
/* create a new SA */
|
||||||
|
ike_sa_id = ike_sa_id_create(0, 0, TRUE);
|
||||||
|
this->new_sa = charon->ike_sa_manager->checkout(charon->ike_sa_manager,
|
||||||
|
ike_sa_id);
|
||||||
|
spi = ike_sa_id->get_initiator_spi(ike_sa_id);
|
||||||
|
ike_sa_id->destroy(ike_sa_id);
|
||||||
|
|
||||||
|
proposals = this->connection->get_proposals(this->connection);
|
||||||
|
iterator = proposals->create_iterator(proposals, TRUE);
|
||||||
|
while (iterator->iterate(iterator, (void**)&proposal))
|
||||||
|
{
|
||||||
|
proposal->set_spi(proposal, spi);
|
||||||
|
}
|
||||||
|
iterator->destroy(iterator);
|
||||||
|
|
||||||
|
sa_payload = sa_payload_create_from_proposal_list(proposals);
|
||||||
|
destroy_proposal_list(proposals);
|
||||||
|
request->add_payload(request, (payload_t*)sa_payload);
|
||||||
|
}
|
||||||
|
|
||||||
|
{ /* build the NONCE payload for us (initiator) */
|
||||||
|
nonce_payload_t *nonce_payload;
|
||||||
|
|
||||||
|
if (this->randomizer->allocate_pseudo_random_bytes(this->randomizer,
|
||||||
|
NONCE_SIZE, &this->nonce_i) != SUCCESS)
|
||||||
|
{
|
||||||
|
return FAILED;
|
||||||
|
}
|
||||||
|
nonce_payload = nonce_payload_create();
|
||||||
|
nonce_payload->set_nonce(nonce_payload, this->nonce_i);
|
||||||
|
request->add_payload(request, (payload_t*)nonce_payload);
|
||||||
|
}
|
||||||
|
|
||||||
|
/* if the DH group is set via use_dh_group(), we already have a DH object */
|
||||||
|
if (!this->diffie_hellman)
|
||||||
|
{
|
||||||
|
diffie_hellman_group_t dh_group;
|
||||||
|
|
||||||
|
dh_group = this->connection->get_dh_group(this->connection);
|
||||||
|
this->diffie_hellman = diffie_hellman_create(dh_group);
|
||||||
|
if (this->diffie_hellman == NULL)
|
||||||
|
{
|
||||||
|
this->logger->log(this->logger, AUDIT,
|
||||||
|
"DH group %s (%d) not supported, aborting",
|
||||||
|
mapping_find(diffie_hellman_group_m, dh_group), dh_group);
|
||||||
|
return DESTROY_ME;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
{ /* build the KE payload from the DH object */
|
||||||
|
ke_payload_t *ke_payload;
|
||||||
|
|
||||||
|
ke_payload = ke_payload_create_from_diffie_hellman(this->diffie_hellman);
|
||||||
|
request->add_payload(request, (payload_t*)ke_payload);
|
||||||
|
}
|
||||||
|
|
||||||
|
this->message_id = this->ike_sa->get_next_message_id(this->ike_sa);
|
||||||
|
request->set_message_id(request, this->message_id);
|
||||||
|
|
||||||
|
return SUCCESS;
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Handle all kind of notifys
|
||||||
|
*/
|
||||||
|
static status_t process_notifys(private_rekey_ike_sa_t *this, notify_payload_t *notify_payload)
|
||||||
|
{
|
||||||
|
notify_type_t notify_type = notify_payload->get_notify_type(notify_payload);
|
||||||
|
|
||||||
|
this->logger->log(this->logger, CONTROL|LEVEL1, "process notify type %s",
|
||||||
|
mapping_find(notify_type_m, notify_type));
|
||||||
|
|
||||||
|
switch (notify_type)
|
||||||
|
{
|
||||||
|
case NO_PROPOSAL_CHOSEN:
|
||||||
|
{
|
||||||
|
this->logger->log(this->logger, AUDIT,
|
||||||
|
"received a NO_PROPOSAL_CHOSEN notify, IKE_SA rekeying failed");
|
||||||
|
return FAILED;
|
||||||
|
}
|
||||||
|
case INVALID_KE_PAYLOAD:
|
||||||
|
{
|
||||||
|
chunk_t notify_data;
|
||||||
|
diffie_hellman_group_t dh_group, old_dh_group;
|
||||||
|
rekey_ike_sa_t *retry;
|
||||||
|
|
||||||
|
old_dh_group = this->connection->get_dh_group(this->connection);
|
||||||
|
notify_data = notify_payload->get_notification_data(notify_payload);
|
||||||
|
dh_group = ntohs(*((u_int16_t*)notify_data.ptr));
|
||||||
|
|
||||||
|
this->logger->log(this->logger, AUDIT,
|
||||||
|
"peer didn't accept DH group %s, it requested %s",
|
||||||
|
mapping_find(diffie_hellman_group_m, old_dh_group),
|
||||||
|
mapping_find(diffie_hellman_group_m, dh_group));
|
||||||
|
if (!this->connection->check_dh_group(this->connection, dh_group))
|
||||||
|
{
|
||||||
|
this->logger->log(this->logger, AUDIT,
|
||||||
|
"requested DH group not acceptable, IKE_SA rekeying failed");
|
||||||
|
return FAILED;
|
||||||
|
}
|
||||||
|
retry = rekey_ike_sa_create(this->ike_sa);
|
||||||
|
retry->use_dh_group(retry, dh_group);
|
||||||
|
*this->next = (transaction_t*)retry;
|
||||||
|
return FAILED;
|
||||||
|
}
|
||||||
|
default:
|
||||||
|
{
|
||||||
|
if (notify_type < 16383)
|
||||||
|
{
|
||||||
|
this->logger->log(this->logger, AUDIT,
|
||||||
|
"received %s notify error (%d, IKE_SA rekeying failed",
|
||||||
|
mapping_find(notify_type_m, notify_type),
|
||||||
|
notify_type);
|
||||||
|
return FAILED;
|
||||||
|
}
|
||||||
|
else
|
||||||
|
{
|
||||||
|
this->logger->log(this->logger, CONTROL,
|
||||||
|
"received %s notify (%d), ignored",
|
||||||
|
mapping_find(notify_type_m, notify_type),
|
||||||
|
notify_type);
|
||||||
|
return SUCCESS;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Switch to the new created IKE_SA
|
||||||
|
*/
|
||||||
|
static status_t switchto_new_sa(private_rekey_ike_sa_t* this, bool initiator)
|
||||||
|
{
|
||||||
|
identification_t *my_id, *other_id;
|
||||||
|
host_t *my_host, *other_host;
|
||||||
|
char *name;
|
||||||
|
|
||||||
|
my_id = this->ike_sa->get_my_id(this->ike_sa);
|
||||||
|
other_id = this->ike_sa->get_other_id(this->ike_sa);
|
||||||
|
my_host = this->ike_sa->get_my_host(this->ike_sa);
|
||||||
|
other_host = this->ike_sa->get_other_host(this->ike_sa);
|
||||||
|
name = this->connection->get_name(this->connection);
|
||||||
|
|
||||||
|
this->new_sa->set_my_id(this->new_sa, my_id->clone(my_id));
|
||||||
|
this->new_sa->set_other_id(this->new_sa, other_id->clone(other_id));
|
||||||
|
this->new_sa->set_my_host(this->new_sa, my_host->clone(my_host));
|
||||||
|
this->new_sa->set_other_host(this->new_sa, other_host->clone(other_host));
|
||||||
|
this->new_sa->set_name(this->new_sa, name);
|
||||||
|
|
||||||
|
if (this->new_sa->derive_keys(this->new_sa, this->proposal,
|
||||||
|
this->diffie_hellman,
|
||||||
|
this->nonce_i, this->nonce_r, initiator,
|
||||||
|
this->ike_sa->get_child_prf(this->ike_sa)
|
||||||
|
) != SUCCESS)
|
||||||
|
{
|
||||||
|
return FAILED;
|
||||||
|
}
|
||||||
|
|
||||||
|
this->new_sa->set_state(this->new_sa, IKE_ESTABLISHED);
|
||||||
|
|
||||||
|
this->new_sa->adopt_children(this->new_sa, this->ike_sa);
|
||||||
|
|
||||||
|
this->new_sa->set_lifetimes(this->new_sa,
|
||||||
|
this->connection->get_soft_lifetime(this->connection),
|
||||||
|
this->connection->get_hard_lifetime(this->connection));
|
||||||
|
|
||||||
|
charon->ike_sa_manager->checkin(charon->ike_sa_manager, this->new_sa);
|
||||||
|
this->new_sa = NULL;
|
||||||
|
return SUCCESS;
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Build a notify message.
|
||||||
|
*/
|
||||||
|
static void build_notify(notify_type_t type, chunk_t data, message_t *message, bool flush_message)
|
||||||
|
{
|
||||||
|
notify_payload_t *notify;
|
||||||
|
|
||||||
|
if (flush_message)
|
||||||
|
{
|
||||||
|
payload_t *payload;
|
||||||
|
iterator_t *iterator = message->get_payload_iterator(message);
|
||||||
|
while (iterator->iterate(iterator, (void**)&payload))
|
||||||
|
{
|
||||||
|
payload->destroy(payload);
|
||||||
|
iterator->remove(iterator);
|
||||||
|
}
|
||||||
|
iterator->destroy(iterator);
|
||||||
|
}
|
||||||
|
|
||||||
|
notify = notify_payload_create();
|
||||||
|
notify->set_notify_type(notify, type);
|
||||||
|
notify->set_notification_data(notify, data);
|
||||||
|
message->add_payload(message, (payload_t*)notify);
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Implementation of transaction_t.get_response.
|
||||||
|
*/
|
||||||
|
static status_t get_response(private_rekey_ike_sa_t *this, message_t *request,
|
||||||
|
message_t **result, transaction_t **next)
|
||||||
|
{
|
||||||
|
host_t *me, *other;
|
||||||
|
message_t *response;
|
||||||
|
status_t status;
|
||||||
|
iterator_t *payloads;
|
||||||
|
sa_payload_t *sa_request = NULL;
|
||||||
|
nonce_payload_t *nonce_request = NULL;
|
||||||
|
ke_payload_t *ke_request = NULL;
|
||||||
|
nonce_payload_t *nonce_response;
|
||||||
|
|
||||||
|
/* check if we already have built a response (retransmission) */
|
||||||
|
if (this->message)
|
||||||
|
{
|
||||||
|
*result = this->message;
|
||||||
|
return SUCCESS;
|
||||||
|
}
|
||||||
|
|
||||||
|
me = this->ike_sa->get_my_host(this->ike_sa);
|
||||||
|
other = this->ike_sa->get_other_host(this->ike_sa);
|
||||||
|
this->message_id = request->get_message_id(request);
|
||||||
|
|
||||||
|
/* set up response */
|
||||||
|
response = message_create();
|
||||||
|
response->set_source(response, me->clone(me));
|
||||||
|
response->set_destination(response, other->clone(other));
|
||||||
|
response->set_exchange_type(response, CREATE_CHILD_SA);
|
||||||
|
response->set_request(response, FALSE);
|
||||||
|
response->set_message_id(response, this->message_id);
|
||||||
|
response->set_ike_sa_id(response, this->ike_sa->get_id(this->ike_sa));
|
||||||
|
this->message = response;
|
||||||
|
*result = response;
|
||||||
|
|
||||||
|
/* check message type */
|
||||||
|
if (request->get_exchange_type(request) != CREATE_CHILD_SA)
|
||||||
|
{
|
||||||
|
this->logger->log(this->logger, ERROR,
|
||||||
|
"CREATE_CHILD_SA response of invalid type, aborted");
|
||||||
|
return FAILED;
|
||||||
|
}
|
||||||
|
|
||||||
|
/* apply for notify processing */
|
||||||
|
this->next = next;
|
||||||
|
|
||||||
|
/* Iterate over all payloads. */
|
||||||
|
payloads = request->get_payload_iterator(request);
|
||||||
|
while (payloads->has_next(payloads))
|
||||||
|
{
|
||||||
|
payload_t *payload;
|
||||||
|
payloads->current(payloads, (void**)&payload);
|
||||||
|
switch (payload->get_type(payload))
|
||||||
|
{
|
||||||
|
case SECURITY_ASSOCIATION:
|
||||||
|
sa_request = (sa_payload_t*)payload;
|
||||||
|
break;
|
||||||
|
case NONCE:
|
||||||
|
nonce_request = (nonce_payload_t*)payload;
|
||||||
|
break;
|
||||||
|
case KEY_EXCHANGE:
|
||||||
|
{
|
||||||
|
ke_request = (ke_payload_t*)payload;
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
case NOTIFY:
|
||||||
|
{
|
||||||
|
status = process_notifys(this, (notify_payload_t*)payload);
|
||||||
|
if (status != SUCCESS)
|
||||||
|
{
|
||||||
|
payloads->destroy(payloads);
|
||||||
|
return status;
|
||||||
|
}
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
default:
|
||||||
|
{
|
||||||
|
this->logger->log(this->logger, ERROR, "ignoring %s payload (%d)",
|
||||||
|
mapping_find(payload_type_m, payload->get_type(payload)),
|
||||||
|
payload->get_type(payload));
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
payloads->destroy(payloads);
|
||||||
|
|
||||||
|
/* check if we have all payloads */
|
||||||
|
if (!(sa_request && nonce_request && ke_request))
|
||||||
|
{
|
||||||
|
build_notify(INVALID_SYNTAX, CHUNK_INITIALIZER, response, TRUE);
|
||||||
|
this->logger->log(this->logger, AUDIT,
|
||||||
|
"request message incomplete, IKE_SA rekeying failed");
|
||||||
|
return FAILED;
|
||||||
|
}
|
||||||
|
|
||||||
|
{ /* process nonce payload */
|
||||||
|
this->nonce_i = nonce_request->get_nonce(nonce_request);
|
||||||
|
if (this->randomizer->allocate_pseudo_random_bytes(this->randomizer,
|
||||||
|
NONCE_SIZE, &this->nonce_r) != SUCCESS)
|
||||||
|
{
|
||||||
|
build_notify(NO_PROPOSAL_CHOSEN, CHUNK_INITIALIZER, response, TRUE);
|
||||||
|
return FAILED;
|
||||||
|
}
|
||||||
|
nonce_response = nonce_payload_create();
|
||||||
|
nonce_response->set_nonce(nonce_response, this->nonce_r);
|
||||||
|
}
|
||||||
|
|
||||||
|
{ /* get a connection to replace current IKE_SA */
|
||||||
|
this->connection = charon->connections->get_connection_by_name(
|
||||||
|
charon->connections,
|
||||||
|
this->ike_sa->get_name(this->ike_sa));
|
||||||
|
/* if connection lookup by name fails, try it with the hosts */
|
||||||
|
if (this->connection == NULL)
|
||||||
|
{
|
||||||
|
this->connection = charon->connections->get_connection_by_hosts(
|
||||||
|
charon->connections,
|
||||||
|
me, other);
|
||||||
|
if (this->connection == NULL)
|
||||||
|
{
|
||||||
|
this->logger->log(this->logger, ERROR,
|
||||||
|
"no connection found to rekey IKE_SA, sending NO_RROPOSAL_CHOSEN");
|
||||||
|
build_notify(NO_PROPOSAL_CHOSEN, CHUNK_INITIALIZER, response, TRUE);
|
||||||
|
return FAILED;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
{ /* process SA payload */
|
||||||
|
linked_list_t *proposal_list;
|
||||||
|
sa_payload_t *sa_response;
|
||||||
|
u_int64_t spi;
|
||||||
|
ike_sa_id_t *ike_sa_id;
|
||||||
|
|
||||||
|
sa_response = sa_payload_create();
|
||||||
|
/* get proposals from request, and select one with ours */
|
||||||
|
proposal_list = sa_request->get_proposals(sa_request);
|
||||||
|
this->logger->log(this->logger, CONTROL|LEVEL1, "selecting proposals:");
|
||||||
|
this->proposal = this->connection->select_proposal(this->connection, proposal_list);
|
||||||
|
destroy_proposal_list(proposal_list);
|
||||||
|
|
||||||
|
/* do we have a proposal? */
|
||||||
|
if (this->proposal == NULL)
|
||||||
|
{
|
||||||
|
this->logger->log(this->logger, AUDIT,
|
||||||
|
"no proposals acceptable to rekey IKE_SA, sending NO_PROPOSAL_CHOSEN");
|
||||||
|
build_notify(NO_PROPOSAL_CHOSEN, CHUNK_INITIALIZER, response, TRUE);
|
||||||
|
return FAILED;
|
||||||
|
}
|
||||||
|
|
||||||
|
/* create IKE_SA with new SPIs */
|
||||||
|
spi = this->proposal->get_spi(this->proposal);
|
||||||
|
ike_sa_id = ike_sa_id_create(spi, 0, FALSE);
|
||||||
|
this->new_sa = charon->ike_sa_manager->checkout(charon->ike_sa_manager,
|
||||||
|
ike_sa_id);
|
||||||
|
spi = ike_sa_id->get_responder_spi(ike_sa_id);
|
||||||
|
ike_sa_id->destroy(ike_sa_id);
|
||||||
|
this->proposal->set_spi(this->proposal, spi);
|
||||||
|
|
||||||
|
sa_response->add_proposal(sa_response, this->proposal);
|
||||||
|
response->add_payload(response, (payload_t*)sa_response);
|
||||||
|
/* add nonce after sa payload */
|
||||||
|
response->add_payload(response, (payload_t *)nonce_response);
|
||||||
|
}
|
||||||
|
|
||||||
|
{ /* process KE payload */
|
||||||
|
diffie_hellman_group_t used_group;
|
||||||
|
ke_payload_t *ke_response;
|
||||||
|
|
||||||
|
used_group = ke_request->get_dh_group_number(ke_request);
|
||||||
|
|
||||||
|
if (!this->connection->check_dh_group(this->connection, used_group) ||
|
||||||
|
(this->diffie_hellman = diffie_hellman_create(used_group)) == NULL)
|
||||||
|
{
|
||||||
|
u_int16_t notify_group;
|
||||||
|
chunk_t notify_chunk;
|
||||||
|
|
||||||
|
notify_group = this->connection->get_dh_group(this->connection);
|
||||||
|
this->logger->log(this->logger, AUDIT,
|
||||||
|
"request used inacceptable DH group %s, sending INVALID_KE_PAYLOAD with %s",
|
||||||
|
mapping_find(diffie_hellman_group_m, used_group),
|
||||||
|
mapping_find(diffie_hellman_group_m, notify_group));
|
||||||
|
|
||||||
|
notify_group = htons(notify_group);
|
||||||
|
notify_chunk.ptr = (u_int8_t*)¬ify_group;
|
||||||
|
notify_chunk.len = sizeof(notify_group);
|
||||||
|
build_notify(INVALID_KE_PAYLOAD, notify_chunk, response, TRUE);
|
||||||
|
return DESTROY_ME;
|
||||||
|
}
|
||||||
|
this->diffie_hellman->set_other_public_value(this->diffie_hellman,
|
||||||
|
ke_request->get_key_exchange_data(ke_request));
|
||||||
|
|
||||||
|
/* build response */
|
||||||
|
ke_response = ke_payload_create_from_diffie_hellman(this->diffie_hellman);
|
||||||
|
response->add_payload(response, (payload_t*)ke_response);
|
||||||
|
}
|
||||||
|
|
||||||
|
return switchto_new_sa(this, FALSE);
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Implementation of transaction_t.conclude
|
||||||
|
*/
|
||||||
|
static status_t conclude(private_rekey_ike_sa_t *this, message_t *response,
|
||||||
|
transaction_t **next)
|
||||||
|
{
|
||||||
|
iterator_t *payloads;
|
||||||
|
host_t *me, *other;
|
||||||
|
sa_payload_t *sa_payload = NULL;
|
||||||
|
nonce_payload_t *nonce_payload = NULL;
|
||||||
|
ke_payload_t *ke_payload = NULL;
|
||||||
|
status_t status;
|
||||||
|
|
||||||
|
/* check message type */
|
||||||
|
if (response->get_exchange_type(response) != CREATE_CHILD_SA)
|
||||||
|
{
|
||||||
|
this->logger->log(this->logger, ERROR,
|
||||||
|
"CREATE_CHILD_SA response of invalid type, aborting");
|
||||||
|
return FAILED;
|
||||||
|
}
|
||||||
|
|
||||||
|
me = this->ike_sa->get_my_host(this->ike_sa);
|
||||||
|
other = this->ike_sa->get_other_host(this->ike_sa);
|
||||||
|
|
||||||
|
/* apply for notify processing */
|
||||||
|
this->next = next;
|
||||||
|
|
||||||
|
/* Iterate over all payloads to collect them */
|
||||||
|
payloads = response->get_payload_iterator(response);
|
||||||
|
while (payloads->has_next(payloads))
|
||||||
|
{
|
||||||
|
payload_t *payload;
|
||||||
|
payloads->current(payloads, (void**)&payload);
|
||||||
|
switch (payload->get_type(payload))
|
||||||
|
{
|
||||||
|
case SECURITY_ASSOCIATION:
|
||||||
|
sa_payload = (sa_payload_t*)payload;
|
||||||
|
break;
|
||||||
|
case NONCE:
|
||||||
|
nonce_payload = (nonce_payload_t*)payload;
|
||||||
|
break;
|
||||||
|
case KEY_EXCHANGE:
|
||||||
|
ke_payload = (ke_payload_t*)payload;
|
||||||
|
break;
|
||||||
|
case NOTIFY:
|
||||||
|
{
|
||||||
|
status = process_notifys(this, (notify_payload_t*)payload);
|
||||||
|
if (status != SUCCESS)
|
||||||
|
{
|
||||||
|
payloads->destroy(payloads);
|
||||||
|
return status;
|
||||||
|
}
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
default:
|
||||||
|
{
|
||||||
|
this->logger->log(this->logger, ERROR, "ignoring %s payload (%d)",
|
||||||
|
mapping_find(payload_type_m, payload->get_type(payload)),
|
||||||
|
payload->get_type(payload));
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
payloads->destroy(payloads);
|
||||||
|
|
||||||
|
if (!(sa_payload && nonce_payload && ke_payload))
|
||||||
|
{
|
||||||
|
this->logger->log(this->logger, AUDIT, "response message incomplete, rekeying IKE_SA failed");
|
||||||
|
return FAILED;
|
||||||
|
}
|
||||||
|
|
||||||
|
{ /* process NONCE payload */
|
||||||
|
this->nonce_r = nonce_payload->get_nonce(nonce_payload);
|
||||||
|
}
|
||||||
|
|
||||||
|
{ /* process SA payload */
|
||||||
|
linked_list_t *proposal_list;
|
||||||
|
ike_sa_id_t *ike_sa_id;
|
||||||
|
u_int64_t spi;
|
||||||
|
|
||||||
|
proposal_list = sa_payload->get_proposals(sa_payload);
|
||||||
|
/* we have to re-check here if other's selection is valid */
|
||||||
|
this->proposal = this->connection->select_proposal(this->connection, proposal_list);
|
||||||
|
destroy_proposal_list(proposal_list);
|
||||||
|
|
||||||
|
if (this->proposal == NULL)
|
||||||
|
{
|
||||||
|
this->logger->log(this->logger, AUDIT,
|
||||||
|
"no proposal selected, rekeying IKE_SA failed");
|
||||||
|
return FAILED;
|
||||||
|
}
|
||||||
|
spi = this->proposal->get_spi(this->proposal);
|
||||||
|
ike_sa_id = this->new_sa->get_id(this->new_sa);
|
||||||
|
ike_sa_id->set_responder_spi(ike_sa_id, spi);
|
||||||
|
}
|
||||||
|
|
||||||
|
{ /* process KE payload */
|
||||||
|
this->diffie_hellman->set_other_public_value(this->diffie_hellman,
|
||||||
|
ke_payload->get_key_exchange_data(ke_payload));
|
||||||
|
}
|
||||||
|
|
||||||
|
if (switchto_new_sa(this, TRUE) == SUCCESS)
|
||||||
|
{
|
||||||
|
/* new IKE_SA is in use now, delete old */
|
||||||
|
*next = (transaction_t*)delete_ike_sa_create(this->ike_sa);
|
||||||
|
return SUCCESS;
|
||||||
|
}
|
||||||
|
else
|
||||||
|
{
|
||||||
|
/* this should not happen. But if, we destroy both SAs */
|
||||||
|
*next = (transaction_t*)delete_ike_sa_create(this->new_sa);
|
||||||
|
return DESTROY_ME;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* implements transaction_t.destroy
|
||||||
|
*/
|
||||||
|
static void destroy(private_rekey_ike_sa_t *this)
|
||||||
|
{
|
||||||
|
if (this->new_sa)
|
||||||
|
{
|
||||||
|
charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager,
|
||||||
|
this->new_sa);
|
||||||
|
}
|
||||||
|
DESTROY_IF(this->message);
|
||||||
|
DESTROY_IF(this->connection);
|
||||||
|
DESTROY_IF(this->diffie_hellman);
|
||||||
|
DESTROY_IF(this->proposal);
|
||||||
|
chunk_free(&this->nonce_i);
|
||||||
|
chunk_free(&this->nonce_r);
|
||||||
|
chunk_free(&this->nonce_s);
|
||||||
|
this->randomizer->destroy(this->randomizer);
|
||||||
|
free(this);
|
||||||
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Described in header.
|
||||||
|
*/
|
||||||
|
rekey_ike_sa_t *rekey_ike_sa_create(ike_sa_t *ike_sa)
|
||||||
|
{
|
||||||
|
private_rekey_ike_sa_t *this = malloc_thing(private_rekey_ike_sa_t);
|
||||||
|
|
||||||
|
/* transaction interface functions */
|
||||||
|
this->public.transaction.get_request = (status_t(*)(transaction_t*,message_t**))get_request;
|
||||||
|
this->public.transaction.get_response = (status_t(*)(transaction_t*,message_t*,message_t**,transaction_t**))get_response;
|
||||||
|
this->public.transaction.conclude = (status_t(*)(transaction_t*,message_t*,transaction_t**))conclude;
|
||||||
|
this->public.transaction.get_message_id = (u_int32_t(*)(transaction_t*))get_message_id;
|
||||||
|
this->public.transaction.requested = (u_int32_t(*)(transaction_t*))requested;
|
||||||
|
this->public.transaction.destroy = (void(*)(transaction_t*))destroy;
|
||||||
|
|
||||||
|
/* public functions */
|
||||||
|
this->public.use_dh_group = (bool(*)(rekey_ike_sa_t*,diffie_hellman_group_t))use_dh_group;
|
||||||
|
this->public.cancel = (void(*)(rekey_ike_sa_t*))cancel;
|
||||||
|
|
||||||
|
/* private data */
|
||||||
|
this->ike_sa = ike_sa;
|
||||||
|
this->message_id = 0;
|
||||||
|
this->message = NULL;
|
||||||
|
this->requested = 0;
|
||||||
|
this->nonce_i = CHUNK_INITIALIZER;
|
||||||
|
this->nonce_r = CHUNK_INITIALIZER;
|
||||||
|
this->nonce_s = CHUNK_INITIALIZER;
|
||||||
|
this->new_sa = NULL;
|
||||||
|
this->lost = FALSE;
|
||||||
|
this->connection = NULL;
|
||||||
|
this->randomizer = randomizer_create();
|
||||||
|
this->diffie_hellman = NULL;
|
||||||
|
this->proposal = NULL;
|
||||||
|
this->logger = logger_manager->get_logger(logger_manager, IKE_SA);
|
||||||
|
|
||||||
|
return &this->public;
|
||||||
|
}
|
|
@ -0,0 +1,82 @@
|
||||||
|
/**
|
||||||
|
* @file rekey_ike_sa.h
|
||||||
|
*
|
||||||
|
* @brief Interface of transaction rekey_ike_sa.
|
||||||
|
*
|
||||||
|
*/
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Copyright (C) 2006 Martin Willi
|
||||||
|
* Hochschule fuer Technik Rapperswil
|
||||||
|
*
|
||||||
|
* This program is free software; you can redistribute it and/or modify it
|
||||||
|
* under the terms of the GNU General Public License as published by the
|
||||||
|
* Free Software Foundation; either version 2 of the License, or (at your
|
||||||
|
* option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
|
||||||
|
*
|
||||||
|
* This program is distributed in the hope that it will be useful, but
|
||||||
|
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
|
||||||
|
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
|
||||||
|
* for more details.
|
||||||
|
*/
|
||||||
|
|
||||||
|
#ifndef REKEY_IKE_SA_H
|
||||||
|
#define REKEY_IKE_SA_H
|
||||||
|
|
||||||
|
#include <sa/ike_sa.h>
|
||||||
|
#include <sa/transactions/transaction.h>
|
||||||
|
#include <crypto/diffie_hellman.h>
|
||||||
|
|
||||||
|
|
||||||
|
typedef struct rekey_ike_sa_t rekey_ike_sa_t;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @brief A transaction to rekey an established IKE_SA
|
||||||
|
*
|
||||||
|
* @b Constructors:
|
||||||
|
* - rekey_ike_sa_create()
|
||||||
|
* - transaction_create() with the appropriate message
|
||||||
|
*
|
||||||
|
* @ingroup transactions
|
||||||
|
*/
|
||||||
|
struct rekey_ike_sa_t {
|
||||||
|
|
||||||
|
/**
|
||||||
|
* The transaction_t interface.
|
||||||
|
*/
|
||||||
|
transaction_t transaction;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @brief Set the Diffie Hellman group to use for initiating.
|
||||||
|
*
|
||||||
|
* If a first exchange fails with a INVALID_KE_PAYLOAD, the second
|
||||||
|
* try uses the DH group proposed by the responder.
|
||||||
|
*
|
||||||
|
* @param this calling object
|
||||||
|
* @param dh_group diffie hellman group to use
|
||||||
|
* @return FALSE, if DH group not allowed/supported
|
||||||
|
*/
|
||||||
|
bool (*use_dh_group) (rekey_ike_sa_t* this, diffie_hellman_group_t dh_group);
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @brief Cancel the request.
|
||||||
|
*
|
||||||
|
* Cancelling the request will set a flag in the transaction.
|
||||||
|
*
|
||||||
|
* @param this calling object
|
||||||
|
* @param child_sa CHILD_SA to rekey
|
||||||
|
*/
|
||||||
|
void (*cancel) (rekey_ike_sa_t* this);
|
||||||
|
};
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @brief Create a new transaction to rekey an existing IKE_SA.
|
||||||
|
*
|
||||||
|
* @param ike_sa existing IKE_SA
|
||||||
|
* @return created rekey_ike_sa transaction
|
||||||
|
*
|
||||||
|
* @ingroup transactions
|
||||||
|
*/
|
||||||
|
rekey_ike_sa_t *rekey_ike_sa_create(ike_sa_t *ike_sa);
|
||||||
|
|
||||||
|
#endif /* REKEY_IKE_SA_H */
|
|
@ -29,6 +29,7 @@
|
||||||
#include <sa/transactions/create_child_sa.h>
|
#include <sa/transactions/create_child_sa.h>
|
||||||
#include <sa/transactions/delete_child_sa.h>
|
#include <sa/transactions/delete_child_sa.h>
|
||||||
#include <sa/transactions/dead_peer_detection.h>
|
#include <sa/transactions/dead_peer_detection.h>
|
||||||
|
#include <sa/transactions/rekey_ike_sa.h>
|
||||||
#include <encoding/payloads/ts_payload.h>
|
#include <encoding/payloads/ts_payload.h>
|
||||||
#include <encoding/payloads/sa_payload.h>
|
#include <encoding/payloads/sa_payload.h>
|
||||||
#include <encoding/payloads/nonce_payload.h>
|
#include <encoding/payloads/nonce_payload.h>
|
||||||
|
@ -89,8 +90,8 @@ transaction_t *transaction_create(ike_sa_t *ike_sa, message_t *request)
|
||||||
switch (prop_struct->get_protocol_id(prop_struct))
|
switch (prop_struct->get_protocol_id(prop_struct))
|
||||||
{
|
{
|
||||||
case PROTO_IKE:
|
case PROTO_IKE:
|
||||||
/* TODO: transaction = (transaction_t*)
|
transaction = (transaction_t*)
|
||||||
rekey_ike_sa_create(ike_sa); */
|
rekey_ike_sa_create(ike_sa);
|
||||||
break;
|
break;
|
||||||
case PROTO_AH:
|
case PROTO_AH:
|
||||||
case PROTO_ESP:
|
case PROTO_ESP:
|
||||||
|
|
|
@ -339,8 +339,10 @@ static void stroke_add_conn(private_stroke_t *this, stroke_msg_t *msg)
|
||||||
msg->add_conn.me.sendcert,
|
msg->add_conn.me.sendcert,
|
||||||
msg->add_conn.other.sendcert,
|
msg->add_conn.other.sendcert,
|
||||||
my_host, other_host,
|
my_host, other_host,
|
||||||
RSA_DIGITAL_SIGNATURE
|
RSA_DIGITAL_SIGNATURE,
|
||||||
);
|
msg->add_conn.rekey.ike_lifetime,
|
||||||
|
msg->add_conn.rekey.ike_lifetime - msg->add_conn.rekey.margin,
|
||||||
|
msg->add_conn.rekey.margin * msg->add_conn.rekey.fuzz / 100);
|
||||||
|
|
||||||
if (msg->add_conn.algorithms.ike)
|
if (msg->add_conn.algorithms.ike)
|
||||||
{
|
{
|
||||||
|
|
|
@ -24,6 +24,7 @@
|
||||||
#include <string.h>
|
#include <string.h>
|
||||||
#include <time.h>
|
#include <time.h>
|
||||||
#include <stdio.h>
|
#include <stdio.h>
|
||||||
|
#include <stdarg.h>
|
||||||
|
|
||||||
#include "types.h"
|
#include "types.h"
|
||||||
|
|
||||||
|
@ -68,6 +69,54 @@ chunk_t chunk_clone(chunk_t chunk)
|
||||||
return clone;
|
return clone;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Decribed in header.
|
||||||
|
*/
|
||||||
|
chunk_t chunk_cat(const char* mode, ...)
|
||||||
|
{
|
||||||
|
chunk_t construct;
|
||||||
|
va_list chunks;
|
||||||
|
u_char *pos;
|
||||||
|
int i;
|
||||||
|
int count = strlen(mode);
|
||||||
|
|
||||||
|
/* sum up lengths of individual chunks */
|
||||||
|
va_start(chunks, mode);
|
||||||
|
construct.len = 0;
|
||||||
|
for (i = 0; i < count; i++)
|
||||||
|
{
|
||||||
|
chunk_t ch = va_arg(chunks, chunk_t);
|
||||||
|
construct.len += ch.len;
|
||||||
|
}
|
||||||
|
va_end(chunks);
|
||||||
|
|
||||||
|
/* allocate needed memory for construct */
|
||||||
|
construct.ptr = malloc(construct.len);
|
||||||
|
pos = construct.ptr;
|
||||||
|
|
||||||
|
/* copy or move the chunks */
|
||||||
|
va_start(chunks, mode);
|
||||||
|
for (i = 0; i < count; i++)
|
||||||
|
{
|
||||||
|
chunk_t ch = va_arg(chunks, chunk_t);
|
||||||
|
switch (*mode++)
|
||||||
|
{
|
||||||
|
case 'm':
|
||||||
|
memcpy(pos, ch.ptr, ch.len);
|
||||||
|
pos += ch.len;
|
||||||
|
free(ch.ptr);
|
||||||
|
break;
|
||||||
|
case 'c':
|
||||||
|
default:
|
||||||
|
memcpy(pos, ch.ptr, ch.len);
|
||||||
|
pos += ch.len;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
va_end(chunks);
|
||||||
|
|
||||||
|
return construct;
|
||||||
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Described in header.
|
* Described in header.
|
||||||
*/
|
*/
|
||||||
|
|
|
@ -160,6 +160,13 @@ extern chunk_t CHUNK_INITIALIZER;
|
||||||
*/
|
*/
|
||||||
chunk_t chunk_clone(chunk_t chunk);
|
chunk_t chunk_clone(chunk_t chunk);
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Allocate a chunk from concatenation of other chunks.
|
||||||
|
* mode is a string 'm' and 'c, 'm' means move chunk,
|
||||||
|
* 'c' means copy chunk.
|
||||||
|
*/
|
||||||
|
chunk_t chunk_cat(const char* mode, ...);
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Free contents of a chunk
|
* Free contents of a chunk
|
||||||
*/
|
*/
|
||||||
|
|
Loading…
Reference in New Issue