diff options
| -rw-r--r-- | src/conftest/hooks/custom_proposal.c | 3 | ||||
| -rw-r--r-- | src/conftest/hooks/pretend_auth.c | 3 | ||||
| -rw-r--r-- | src/conftest/hooks/set_proposal_number.c | 2 | ||||
| -rw-r--r-- | src/libcharon/encoding/payloads/sa_payload.c | 106 | ||||
| -rw-r--r-- | src/libcharon/encoding/payloads/sa_payload.h | 74 | ||||
| -rw-r--r-- | src/libcharon/sa/authenticators/authenticator.h | 6 | ||||
| -rw-r--r-- | src/libcharon/sa/tasks/child_create.c | 6 | ||||
| -rw-r--r-- | src/libcharon/sa/tasks/ike_init.c | 6 | ||||
| -rw-r--r-- | src/libcharon/sa/tasks/main_mode.c | 8 | ||||
| -rw-r--r-- | src/libcharon/sa/tasks/quick_mode.c | 8 | ||||
| -rw-r--r-- | src/libhydra/kernel/kernel_ipsec.h | 2 |
11 files changed, 193 insertions, 31 deletions
diff --git a/src/conftest/hooks/custom_proposal.c b/src/conftest/hooks/custom_proposal.c index 9522335b1..4acea18ce 100644 --- a/src/conftest/hooks/custom_proposal.c +++ b/src/conftest/hooks/custom_proposal.c @@ -145,8 +145,7 @@ METHOD(listener_t, message, bool, proposal->get_protocol(proposal), proposal->get_spi(proposal)); DBG1(DBG_CFG, "injecting custom proposal: %#P", new_props); - new = sa_payload_create_from_proposal_list( - SECURITY_ASSOCIATION, new_props); + new = sa_payload_create_from_proposals_v2(new_props); message->add_payload(message, (payload_t*)new); new_props->destroy_offset(new_props, offsetof(proposal_t, destroy)); } diff --git a/src/conftest/hooks/pretend_auth.c b/src/conftest/hooks/pretend_auth.c index 560864db5..b8f961403 100644 --- a/src/conftest/hooks/pretend_auth.c +++ b/src/conftest/hooks/pretend_auth.c @@ -295,8 +295,7 @@ static void process_auth_response(private_pretend_auth_t *this, if (this->proposal) { message->add_payload(message, (payload_t*) - sa_payload_create_from_proposal(SECURITY_ASSOCIATION, - this->proposal)); + sa_payload_create_from_proposal_v2(this->proposal)); } if (this->tsi) { diff --git a/src/conftest/hooks/set_proposal_number.c b/src/conftest/hooks/set_proposal_number.c index 32b0155cb..839ca1f37 100644 --- a/src/conftest/hooks/set_proposal_number.c +++ b/src/conftest/hooks/set_proposal_number.c @@ -121,7 +121,7 @@ METHOD(listener_t, message, bool, } enumerator->destroy(enumerator); } - sa = sa_payload_create_from_proposal_list(SECURITY_ASSOCIATION, updated); + sa = sa_payload_create_from_proposals_v2(updated); list->destroy_offset(list, offsetof(proposal_t, destroy)); updated->destroy_offset(updated, offsetof(proposal_t, destroy)); message->add_payload(message, (payload_t*)sa); diff --git a/src/libcharon/encoding/payloads/sa_payload.c b/src/libcharon/encoding/payloads/sa_payload.c index 05695fce2..385517bdd 100644 --- a/src/libcharon/encoding/payloads/sa_payload.c +++ b/src/libcharon/encoding/payloads/sa_payload.c @@ -341,6 +341,31 @@ METHOD(sa_payload_t, create_substructure_enumerator, enumerator_t*, return this->proposals->create_enumerator(this->proposals); } +METHOD(sa_payload_t, get_lifetime, u_int32_t, + private_sa_payload_t *this) +{ + return 0; +} + +METHOD(sa_payload_t, get_lifebytes, u_int64_t, + private_sa_payload_t *this) +{ + return 0; +} + +METHOD(sa_payload_t, get_auth_method, auth_method_t, + private_sa_payload_t *this) +{ + return AUTH_NONE; +} + +METHOD(sa_payload_t, get_encap_mode, ipsec_mode_t, + private_sa_payload_t *this, bool *udp) +{ + *udp = FALSE; + return MODE_NONE; +} + METHOD2(payload_t, sa_payload_t, destroy, void, private_sa_payload_t *this) { @@ -370,6 +395,10 @@ sa_payload_t *sa_payload_create(payload_type_t type) }, .get_proposals = _get_proposals, .create_substructure_enumerator = _create_substructure_enumerator, + .get_lifetime = _get_lifetime, + .get_lifebytes = _get_lifebytes, + .get_auth_method = _get_auth_method, + .get_encap_mode = _get_encap_mode, .destroy = _destroy, }, .next_payload = NO_PAYLOAD, @@ -431,3 +460,80 @@ sa_payload_t *sa_payload_create_from_proposal(payload_type_t type, return &this->public; } + +/* + * Described in header. + */ +sa_payload_t *sa_payload_create_from_proposals_v2(linked_list_t *proposals) +{ + private_sa_payload_t *this; + enumerator_t *enumerator; + proposal_t *proposal; + + this = (private_sa_payload_t*)sa_payload_create(SECURITY_ASSOCIATION); + enumerator = proposals->create_enumerator(proposals); + while (enumerator->enumerate(enumerator, &proposal)) + { + add_proposal(this, proposal); + } + enumerator->destroy(enumerator); + + return &this->public; +} + +/* + * Described in header. + */ +sa_payload_t *sa_payload_create_from_proposal_v2(proposal_t *proposal) +{ + private_sa_payload_t *this; + + this = (private_sa_payload_t*)sa_payload_create(SECURITY_ASSOCIATION); + add_proposal(this, proposal); + + return &this->public; + +} + +/* + * Described in header. + */ +sa_payload_t *sa_payload_create_from_proposals_v1(linked_list_t *proposals, + u_int32_t lifetime, u_int64_t lifebytes, + auth_method_t auth, ipsec_mode_t mode, bool udp) +{ + proposal_substructure_t *substruct; + private_sa_payload_t *this; + + this = (private_sa_payload_t*)sa_payload_create(SECURITY_ASSOCIATION); + + /* IKEv1 encodes multiple proposals in a single substructure + * TODO-IKEv1: Encode ESP+AH proposals in two different substructs */ + substruct = proposal_substructure_create_from_proposals(proposals); + substruct->set_is_last_proposal(substruct, TRUE); + this->proposals->insert_last(this->proposals, substruct); + compute_length(this); + + return &this->public; +} + +/* + * Described in header. + */ +sa_payload_t *sa_payload_create_from_proposal_v1(proposal_t *proposal, + u_int32_t lifetime, u_int64_t lifebytes, + auth_method_t auth, ipsec_mode_t mode, bool udp) +{ + proposal_substructure_t *substruct; + private_sa_payload_t *this; + + this = (private_sa_payload_t*)sa_payload_create(SECURITY_ASSOCIATION_V1); + + substruct = proposal_substructure_create_from_proposal( + PROPOSAL_SUBSTRUCTURE_V1, proposal); + substruct->set_is_last_proposal(substruct, TRUE); + this->proposals->insert_last(this->proposals, substruct); + compute_length(this); + + return &this->public; +} diff --git a/src/libcharon/encoding/payloads/sa_payload.h b/src/libcharon/encoding/payloads/sa_payload.h index d6c6b6036..dfba47749 100644 --- a/src/libcharon/encoding/payloads/sa_payload.h +++ b/src/libcharon/encoding/payloads/sa_payload.h @@ -28,6 +28,8 @@ typedef struct sa_payload_t sa_payload_t; #include <encoding/payloads/payload.h> #include <encoding/payloads/proposal_substructure.h> #include <utils/linked_list.h> +#include <kernel/kernel_ipsec.h> +#include <sa/authenticators/authenticator.h> /** * Class representing an IKEv1 or IKEv2 SA Payload. @@ -49,6 +51,35 @@ struct sa_payload_t { linked_list_t *(*get_proposals) (sa_payload_t *this); /** + * Get the (shortest) lifetime of a proposal (IKEv1 only). + * + * @return lifetime, in seconds + */ + u_int32_t (*get_lifetime)(sa_payload_t *this); + + /** + * Get the (shortest) life duration of a proposal (IKEv1 only). + * + * @return life duration, in bytes + */ + u_int64_t (*get_lifebytes)(sa_payload_t *this); + + /** + * Get the first authentication method from the proposal (IKEv1 only). + * + * @return auth method, or AUTH_NONE + */ + auth_method_t (*get_auth_method)(sa_payload_t *this); + + /** + * Get the (first) encapsulation mode from a proposal (IKEv1 only). + * + * @param udp set to TRUE if UDP encapsulation used + * @return ipsec encapsulation mode + */ + ipsec_mode_t (*get_encap_mode)(sa_payload_t *this, bool *udp); + + /** * Create an enumerator over all proposal substructures. * * @return enumerator over proposal_substructure_t @@ -70,26 +101,49 @@ struct sa_payload_t { sa_payload_t *sa_payload_create(payload_type_t type); /** - * Creates a sa_payload_t object from a list of proposals. + * Creates an IKEv2 sa_payload_t object from a list of proposals. * - * @param type SECURITY_ASSOCIATION or SECURITY_ASSOCIATION_V1 * @param proposals list of proposals to build the payload from * @return sa_payload_t object */ -sa_payload_t *sa_payload_create_from_proposal_list(payload_type_t type, - linked_list_t *proposals); +sa_payload_t *sa_payload_create_from_proposals_v2(linked_list_t *proposals); + +/** + * Creates an IKEv2 sa_payload_t object from a single proposal. + * + * @param proposal proposal from which the payload should be built. + * @return sa_payload_t object + */ +sa_payload_t *sa_payload_create_from_proposal_v2(proposal_t *proposal); /** - * Creates a sa_payload_t object from a single proposal. + * Creates an IKEv1 sa_payload_t object from a list of proposals. * - * This is only for convenience. Use sa_payload_create_from_proposal_list - * if you want to add more than one proposal. + * @param proposals list of proposals to build the payload from + * @param lifetime lifetime in seconds + * @param lifebytes lifebytes, in bytes + * @param auth authentication method to use, or AUTH_NONE + * @param mode IPsec encapsulation mode, TRANSPORT or TUNNEL + * @param udp TRUE to use UDP encapsulation + * @return sa_payload_t object + */ +sa_payload_t *sa_payload_create_from_proposals_v1(linked_list_t *proposals, + u_int32_t lifetime, u_int64_t lifebytes, + auth_method_t auth, ipsec_mode_t mode, bool udp); + +/** + * Creates an IKEv1 sa_payload_t object from a single proposal. * - * @param type SECURITY_ASSOCIATION or SECURITY_ASSOCIATION_V1 * @param proposal proposal from which the payload should be built. + * @param lifetime lifetime in seconds + * @param lifebytes lifebytes, in bytes + * @param auth authentication method to use, or AUTH_NONE + * @param mode IPsec encapsulation mode, TRANSPORT or TUNNEL + * @param udp TRUE to use UDP encapsulation * @return sa_payload_t object */ -sa_payload_t *sa_payload_create_from_proposal(payload_type_t type, - proposal_t *proposal); +sa_payload_t *sa_payload_create_from_proposal_v1(proposal_t *proposal, + u_int32_t lifetime, u_int64_t lifebytes, + auth_method_t auth, ipsec_mode_t mode, bool udp); #endif /** SA_PAYLOAD_H_ @}*/ diff --git a/src/libcharon/sa/authenticators/authenticator.h b/src/libcharon/sa/authenticators/authenticator.h index d27e006a3..a3850bb7f 100644 --- a/src/libcharon/sa/authenticators/authenticator.h +++ b/src/libcharon/sa/authenticators/authenticator.h @@ -34,6 +34,12 @@ typedef struct authenticator_t authenticator_t; * Method to use for authentication, as defined in IKEv2. */ enum auth_method_t { + + /** + * No authentication used. + */ + AUTH_NONE = 0, + /** * Computed as specified in section 2.15 of RFC using * an RSA private key over a PKCS#1 padded hash. diff --git a/src/libcharon/sa/tasks/child_create.c b/src/libcharon/sa/tasks/child_create.c index e40f34dc9..79d082138 100644 --- a/src/libcharon/sa/tasks/child_create.c +++ b/src/libcharon/sa/tasks/child_create.c @@ -527,13 +527,11 @@ static void build_payloads(private_child_create_t *this, message_t *message) /* add SA payload */ if (this->initiator) { - sa_payload = sa_payload_create_from_proposal_list(SECURITY_ASSOCIATION, - this->proposals); + sa_payload = sa_payload_create_from_proposals_v2(this->proposals); } else { - sa_payload = sa_payload_create_from_proposal(SECURITY_ASSOCIATION, - this->proposal); + sa_payload = sa_payload_create_from_proposal_v2(this->proposal); } message->add_payload(message, (payload_t*)sa_payload); diff --git a/src/libcharon/sa/tasks/ike_init.c b/src/libcharon/sa/tasks/ike_init.c index 868680bb6..3b0c4e8f8 100644 --- a/src/libcharon/sa/tasks/ike_init.c +++ b/src/libcharon/sa/tasks/ike_init.c @@ -133,8 +133,7 @@ static void build_payloads(private_ike_init_t *this, message_t *message) enumerator->destroy(enumerator); } - sa_payload = sa_payload_create_from_proposal_list(SECURITY_ASSOCIATION, - proposal_list); + sa_payload = sa_payload_create_from_proposals_v2(proposal_list); proposal_list->destroy_offset(proposal_list, offsetof(proposal_t, destroy)); } else @@ -144,8 +143,7 @@ static void build_payloads(private_ike_init_t *this, message_t *message) /* include SPI of new IKE_SA when we are rekeying */ this->proposal->set_spi(this->proposal, id->get_responder_spi(id)); } - sa_payload = sa_payload_create_from_proposal(SECURITY_ASSOCIATION, - this->proposal); + sa_payload = sa_payload_create_from_proposal_v2(this->proposal); } message->add_payload(message, (payload_t*)sa_payload); diff --git a/src/libcharon/sa/tasks/main_mode.c b/src/libcharon/sa/tasks/main_mode.c index f59276714..12ec5f71b 100644 --- a/src/libcharon/sa/tasks/main_mode.c +++ b/src/libcharon/sa/tasks/main_mode.c @@ -299,8 +299,8 @@ METHOD(task_t, build_i, status_t, proposals = this->ike_cfg->get_proposals(this->ike_cfg); - sa_payload = sa_payload_create_from_proposal_list( - SECURITY_ASSOCIATION_V1, proposals); + sa_payload = sa_payload_create_from_proposals_v1(proposals, + 0, 0, AUTH_NONE, MODE_NONE, FALSE); proposals->destroy_offset(proposals, offsetof(proposal_t, destroy)); message->add_payload(message, &sa_payload->payload_interface); @@ -573,8 +573,8 @@ METHOD(task_t, build_r, status_t, { sa_payload_t *sa_payload; - sa_payload = sa_payload_create_from_proposal(SECURITY_ASSOCIATION_V1, - this->proposal); + sa_payload = sa_payload_create_from_proposal_v1(this->proposal, + 0, 0, AUTH_NONE, MODE_NONE, FALSE); message->add_payload(message, &sa_payload->payload_interface); return NEED_MORE; diff --git a/src/libcharon/sa/tasks/quick_mode.c b/src/libcharon/sa/tasks/quick_mode.c index eb9312d2b..1d5e6b521 100644 --- a/src/libcharon/sa/tasks/quick_mode.c +++ b/src/libcharon/sa/tasks/quick_mode.c @@ -425,8 +425,8 @@ METHOD(task_t, build_i, status_t, } enumerator->destroy(enumerator); - sa_payload = sa_payload_create_from_proposal_list( - SECURITY_ASSOCIATION_V1, list); + sa_payload = sa_payload_create_from_proposals_v1(list, + 0, 0, AUTH_NONE, MODE_NONE, FALSE); list->destroy_offset(list, offsetof(proposal_t, destroy)); message->add_payload(message, &sa_payload->payload_interface); @@ -551,8 +551,8 @@ METHOD(task_t, build_r, status_t, } this->proposal->set_spi(this->proposal, this->spi_r); - sa_payload = sa_payload_create_from_proposal( - SECURITY_ASSOCIATION_V1, this->proposal); + sa_payload = sa_payload_create_from_proposal_v1(this->proposal, + 0, 0, AUTH_NONE, MODE_NONE, FALSE); message->add_payload(message, &sa_payload->payload_interface); if (!add_nonce(this, &this->nonce_r, message)) diff --git a/src/libhydra/kernel/kernel_ipsec.h b/src/libhydra/kernel/kernel_ipsec.h index ddb63283c..7af76a321 100644 --- a/src/libhydra/kernel/kernel_ipsec.h +++ b/src/libhydra/kernel/kernel_ipsec.h @@ -43,6 +43,8 @@ typedef struct mark_t mark_t; * Mode of an IPsec SA. */ enum ipsec_mode_t { + /** not using any encapsulation */ + MODE_NONE = 0, /** transport mode, no inner address */ MODE_TRANSPORT = 1, /** tunnel mode, inner and outer addresses */ |