From 1bf2971ff2d63f1f1c4d59d1091b8a1b11b0ef62 Mon Sep 17 00:00:00 2001 From: Martin Willi Date: Wed, 16 Nov 2011 13:46:54 +0100 Subject: Implemented limited payload parsing for IKEv1 SA payloads --- .../encoding/payloads/proposal_substructure.c | 354 ++++++++++++++++++--- 1 file changed, 315 insertions(+), 39 deletions(-) (limited to 'src/libcharon/encoding/payloads/proposal_substructure.c') diff --git a/src/libcharon/encoding/payloads/proposal_substructure.c b/src/libcharon/encoding/payloads/proposal_substructure.c index 4753d574d..efa748bd0 100644 --- a/src/libcharon/encoding/payloads/proposal_substructure.c +++ b/src/libcharon/encoding/payloads/proposal_substructure.c @@ -25,7 +25,7 @@ #include /** - * IKEv1 Value for a proposal payload. + * IKEv2 Value for a proposal payload. */ #define PROPOSAL_TYPE_VALUE 2 @@ -84,16 +84,43 @@ struct private_proposal_substructure_t { /** * Transforms are stored in a linked_list_t. */ - linked_list_t * transforms; + linked_list_t *transforms; + + /** + * Type of this payload, PROPOSAL_SUBSTRUCTURE or PROPOSAL_SUBSTRUCTURE_V1 + */ + payload_type_t type; }; /** - * Encoding rules to parse or generate a Proposal substructure. - * - * The defined offsets are the positions in a object of type - * private_proposal_substructure_t. + * Encoding rules for a IKEv1 Proposal substructure. */ -encoding_rule_t proposal_substructure_encodings[] = { +static encoding_rule_t encodings_v1[] = { + /* 1 Byte next payload type, stored in the field next_payload */ + { U_INT_8, offsetof(private_proposal_substructure_t, next_payload) }, + /* 1 Reserved Byte */ + { RESERVED_BYTE, offsetof(private_proposal_substructure_t, reserved) }, + /* Length of the whole proposal substructure payload*/ + { PAYLOAD_LENGTH, offsetof(private_proposal_substructure_t, proposal_length) }, + /* proposal number is a number of 8 bit */ + { U_INT_8, offsetof(private_proposal_substructure_t, proposal_number) }, + /* protocol ID is a number of 8 bit */ + { U_INT_8, offsetof(private_proposal_substructure_t, protocol_id) }, + /* SPI Size has its own type */ + { SPI_SIZE, offsetof(private_proposal_substructure_t, spi_size) }, + /* Number of transforms is a number of 8 bit */ + { U_INT_8, offsetof(private_proposal_substructure_t, transforms_count) }, + /* SPI is a chunk of variable size*/ + { SPI, offsetof(private_proposal_substructure_t, spi) }, + /* Transforms are stored in a transform substructure, + offset points to a linked_list_t pointer */ + { TRANSFORMS_V1, offsetof(private_proposal_substructure_t, transforms) } +}; + +/** + * Encoding rules for a IKEv2 Proposal substructure. + */ +static encoding_rule_t encodings_v2[] = { /* 1 Byte next payload type, stored in the field next_payload */ { U_INT_8, offsetof(private_proposal_substructure_t, next_payload) }, /* 1 Reserved Byte */ @@ -131,6 +158,76 @@ encoding_rule_t proposal_substructure_encodings[] = { +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ */ +/** + * Encryption. + */ +typedef enum { + IKEV1_ENCR_DES_CBC = 1, + IKEV1_ENCR_IDEA_CBC = 2, + IKEV1_ENCR_BLOWFISH_CBC = 3, + IKEV1_ENCR_RC5_R16_B64_CBC = 4, + IKEV1_ENCR_3DES_CBC = 5, + IKEV1_ENCR_CAST_CBC = 6, + IKEV1_ENCR_AES_CBC = 7, + IKEV1_ENCR_CAMELLIA_CBC = 8, + IKEV1_ENCR_LAST = 9, +} ikev1_encryption_t; + +/** + * IKEv1 hash. + */ +typedef enum { + IKEV1_HASH_MD5 = 1, + IKEV1_HASH_SHA1 = 2, + IKEV1_HASH_TIGER = 3, + IKEV1_HASH_SHA2_256 = 4, + IKEV1_HASH_SHA2_384 = 5, + IKEV1_HASH_SHA2_512 = 6, +} ikev1_hash_t; + +/** + * IKEv1 Transform ID IKE. + */ +typedef enum { + IKEV1_TRANSID_KEY_IKE = 1, +} ikev1_ike_transid_t; + +/** + * IKEv1 Transform ID ESP. + */ +typedef enum { + IKEV1_TRANSID_ESP_DES_IV64 = 1, + IKEV1_TRANSID_ESP_DES = 2, + IKEV1_TRANSID_ESP_3DES = 3, + IKEV1_TRANSID_ESP_RC5 = 4, + IKEV1_TRANSID_ESP_IDEA = 5, + IKEV1_TRANSID_ESP_CAST = 6, + IKEV1_TRANSID_ESP_BLOWFISH = 7, + IKEV1_TRANSID_ESP_3IDEA = 8, + IKEV1_TRANSID_ESP_DES_IV32 = 9, + IKEV1_TRANSID_ESP_RC4 = 10, + IKEV1_TRANSID_ESP_NULL = 11, + IKEV1_TRANSID_ESP_AES_CBC = 12, +} ikev1_esp_transid_t; + +/** + * IKEv1 ESP Encapsulation mode. + */ +typedef enum { + IKEV1_ENCAP_TUNNEL = 1, + IKEV1_ENCAP_TRANSPORT = 2, + IKEV1_ENCAP_UDP_TUNNEL = 3, + IKEV1_ENCAP_UDP_TRANSPORT = 4, +} ikev1_esp_encap_t; + +/** + * IKEv1 Life duration types. + */ +typedef enum { + IKEV1_LIFE_TYPE_SECONDS = 1, + IKEV1_LIFE_TYPE_KILOBYTES = 2, +} ikev1_life_type_t; + METHOD(payload_t, verify, status_t, private_proposal_substructure_t *this) { @@ -192,14 +289,22 @@ METHOD(payload_t, get_encoding_rules, void, private_proposal_substructure_t *this, encoding_rule_t **rules, size_t *rule_count) { - *rules = proposal_substructure_encodings; - *rule_count = countof(proposal_substructure_encodings); + if (this->type == PROPOSAL_SUBSTRUCTURE) + { + *rules = encodings_v2; + *rule_count = countof(encodings_v2); + } + else + { + *rules = encodings_v1; + *rule_count = countof(encodings_v1); + } } METHOD(payload_t, get_type, payload_type_t, private_proposal_substructure_t *this) { - return PROPOSAL_SUBSTRUCTURE; + return this->type; } METHOD(payload_t, get_next_type, payload_type_t, @@ -301,43 +406,206 @@ METHOD(proposal_substructure_t, get_spi, chunk_t, return this->spi; } +/** + * Add a transform to a proposal for IKEv2 + */ +static void add_to_proposal_v2(proposal_t *proposal, + transform_substructure_t *transform) +{ + transform_attribute_t *tattr; + enumerator_t *enumerator; + u_int16_t key_length = 0; + + enumerator = transform->create_attribute_enumerator(transform); + while (enumerator->enumerate(enumerator, &tattr)) + { + if (tattr->get_attribute_type(tattr) == TATTR_IKEV2_KEY_LENGTH) + { + key_length = tattr->get_value(tattr); + break; + } + } + enumerator->destroy(enumerator); + + proposal->add_algorithm(proposal, + transform->get_transform_type_or_number(transform), + transform->get_transform_id(transform), key_length); +} + +/** + * Get IKEv2 algorithm from IKEv1 identifier + */ +static u_int16_t get_alg_from_ikev1(transform_type_t type, u_int16_t value) +{ + typedef struct { + u_int16_t ikev1; + u_int16_t ikev2; + } algo_map_t; + + static algo_map_t encr[] = { + { IKEV1_ENCR_DES_CBC, ENCR_DES }, + { IKEV1_ENCR_IDEA_CBC, ENCR_IDEA }, + { IKEV1_ENCR_BLOWFISH_CBC, ENCR_BLOWFISH }, + { IKEV1_ENCR_3DES_CBC, ENCR_3DES }, + { IKEV1_ENCR_CAST_CBC, ENCR_CAST }, + { IKEV1_ENCR_AES_CBC, ENCR_AES_CBC }, + { IKEV1_ENCR_CAMELLIA_CBC, ENCR_CAMELLIA_CBC }, + }; + static algo_map_t integ[] = { + { IKEV1_HASH_MD5, AUTH_HMAC_MD5_96 }, + { IKEV1_HASH_SHA1, AUTH_HMAC_SHA1_96 }, + { IKEV1_HASH_SHA2_256, AUTH_HMAC_SHA2_256_128 }, + { IKEV1_HASH_SHA2_384, AUTH_HMAC_SHA2_384_192 }, + { IKEV1_HASH_SHA2_512, AUTH_HMAC_SHA2_512_256 }, + }; + static algo_map_t prf[] = { + { IKEV1_HASH_MD5, PRF_HMAC_MD5 }, + { IKEV1_HASH_SHA1, PRF_HMAC_SHA1 }, + { IKEV1_HASH_SHA2_256, PRF_HMAC_SHA2_256 }, + { IKEV1_HASH_SHA2_384, PRF_HMAC_SHA2_384 }, + { IKEV1_HASH_SHA2_512, PRF_HMAC_SHA2_512 }, + }; + int i, count; + u_int16_t def; + algo_map_t *map; + + switch (type) + { + case ENCRYPTION_ALGORITHM: + map = encr; + count = countof(encr); + def = ENCR_UNDEFINED; + break; + case INTEGRITY_ALGORITHM: + map = integ; + count = countof(integ); + def = AUTH_UNDEFINED; + break; + case PSEUDO_RANDOM_FUNCTION: + map = prf; + count = countof(prf); + def = PRF_UNDEFINED; + break; + default: + return 0; + } + + for (i = 0; i < count; i++) + { + if (map[i].ikev1 == value) + { + return map[i].ikev2; + } + } + return def; +} + +/** + * Add an IKE transform to a proposal for IKEv1 + */ +static void add_to_proposal_v1_ike(proposal_t *proposal, + transform_substructure_t *transform) +{ + transform_attribute_type_t type; + transform_attribute_t *tattr; + enumerator_t *enumerator; + u_int16_t value, key_length = 0; + u_int16_t encr = ENCR_UNDEFINED; + + enumerator = transform->create_attribute_enumerator(transform); + while (enumerator->enumerate(enumerator, &tattr)) + { + type = tattr->get_attribute_type(tattr); + value = tattr->get_value(tattr); + switch (type) + { + case TATTR_PH1_ENCRYPTION_ALGORITHM: + encr = get_alg_from_ikev1(ENCRYPTION_ALGORITHM, value); + break; + case TATTR_PH1_KEY_LENGTH: + key_length = value; + break; + case TATTR_PH1_HASH_ALGORITHM: + proposal->add_algorithm(proposal, INTEGRITY_ALGORITHM, + get_alg_from_ikev1(INTEGRITY_ALGORITHM, value), 0); + proposal->add_algorithm(proposal, PSEUDO_RANDOM_FUNCTION, + get_alg_from_ikev1(PSEUDO_RANDOM_FUNCTION, value), 0); + break; + case TATTR_PH1_GROUP: + proposal->add_algorithm(proposal, DIFFIE_HELLMAN_GROUP, + value, 0); + break; + default: + /* TODO-IKEv1: lifetimes, authentication and other attributes */ + break; + } + } + enumerator->destroy(enumerator); + + if (encr != ENCR_UNDEFINED) + { + proposal->add_algorithm(proposal, ENCRYPTION_ALGORITHM, encr, key_length); + } +} + +/** + * Add an ESP transform to a proposal for IKEv1 + */ +static void add_to_proposal_v1_esp(proposal_t *proposal, + transform_substructure_t *transform) +{ + /* TODO-IKEv1: create ESP proposals */ +} + METHOD(proposal_substructure_t, get_proposal, proposal_t*, private_proposal_substructure_t *this) { - enumerator_t *enumerator; transform_substructure_t *transform; + enumerator_t *enumerator; proposal_t *proposal; - u_int64_t spi; proposal = proposal_create(this->protocol_id, this->proposal_number); enumerator = this->transforms->create_enumerator(this->transforms); while (enumerator->enumerate(enumerator, &transform)) { - transform_type_t transform_type; - u_int16_t transform_id; - u_int16_t key_length = 0; - - transform_type = transform->get_transform_type(transform); - transform_id = transform->get_transform_id(transform); - transform->get_key_length(transform, &key_length); - - proposal->add_algorithm(proposal, transform_type, transform_id, key_length); + if (this->type == PROPOSAL_SUBSTRUCTURE) + { + add_to_proposal_v2(proposal, transform); + } + else + { + switch (this->protocol_id) + { + case PROTO_IKE: + add_to_proposal_v1_ike(proposal, transform); + break; + case PROTO_ESP: + add_to_proposal_v1_esp(proposal, transform); + break; + default: + break; + } + /* TODO-IKEv1: We currently accept the first set of transforms + * in a substructure only. We need to return multiple proposals, + * but this messes up proposal numbering, as we don't support + * transform numbering. */ + break; + } } enumerator->destroy(enumerator); switch (this->spi.len) { case 4: - spi = *((u_int32_t*)this->spi.ptr); + proposal->set_spi(proposal, *((u_int32_t*)this->spi.ptr)); break; case 8: - spi = *((u_int64_t*)this->spi.ptr); + proposal->set_spi(proposal, *((u_int64_t*)this->spi.ptr)); break; default: - spi = 0; + break; } - proposal->set_spi(proposal, spi); return proposal; } @@ -352,7 +620,7 @@ METHOD2(payload_t, proposal_substructure_t, destroy, void, private_proposal_substructure_t *this) { this->transforms->destroy_offset(this->transforms, - offsetof(transform_substructure_t, destroy)); + offsetof(payload_t, destroy)); chunk_free(&this->spi); free(this); } @@ -360,7 +628,7 @@ METHOD2(payload_t, proposal_substructure_t, destroy, void, /* * Described in header. */ -proposal_substructure_t *proposal_substructure_create() +proposal_substructure_t *proposal_substructure_create(payload_type_t type) { private_proposal_substructure_t *this; @@ -389,6 +657,7 @@ proposal_substructure_t *proposal_substructure_create() .next_payload = NO_PAYLOAD, .proposal_length = PROPOSAL_SUBSTRUCTURE_HEADER_LENGTH, .transforms = linked_list_create(), + .type = type, ); return &this->public; @@ -398,21 +667,28 @@ proposal_substructure_t *proposal_substructure_create() * Described in header. */ proposal_substructure_t *proposal_substructure_create_from_proposal( - proposal_t *proposal) + payload_type_t type, proposal_t *proposal) { transform_substructure_t *transform; private_proposal_substructure_t *this; u_int16_t alg, key_size; enumerator_t *enumerator; + payload_type_t subtype = TRANSFORM_SUBSTRUCTURE; + + if (type == PROPOSAL_SUBSTRUCTURE_V1) + { + /* TODO-IKEv1: IKEv1 specific proposal encoding */ + subtype = TRANSFORM_SUBSTRUCTURE_V1; + } - this = (private_proposal_substructure_t*)proposal_substructure_create(); + this = (private_proposal_substructure_t*)proposal_substructure_create(type); /* encryption algorithm is only available in ESP */ enumerator = proposal->create_enumerator(proposal, ENCRYPTION_ALGORITHM); while (enumerator->enumerate(enumerator, &alg, &key_size)) { - transform = transform_substructure_create_type(ENCRYPTION_ALGORITHM, - alg, key_size); + transform = transform_substructure_create_type(subtype, + ENCRYPTION_ALGORITHM, alg, key_size); add_transform_substructure(this, transform); } enumerator->destroy(enumerator); @@ -421,8 +697,8 @@ proposal_substructure_t *proposal_substructure_create_from_proposal( enumerator = proposal->create_enumerator(proposal, INTEGRITY_ALGORITHM); while (enumerator->enumerate(enumerator, &alg, &key_size)) { - transform = transform_substructure_create_type(INTEGRITY_ALGORITHM, - alg, key_size); + transform = transform_substructure_create_type(subtype, + INTEGRITY_ALGORITHM, alg, key_size); add_transform_substructure(this, transform); } enumerator->destroy(enumerator); @@ -431,8 +707,8 @@ proposal_substructure_t *proposal_substructure_create_from_proposal( enumerator = proposal->create_enumerator(proposal, PSEUDO_RANDOM_FUNCTION); while (enumerator->enumerate(enumerator, &alg, &key_size)) { - transform = transform_substructure_create_type(PSEUDO_RANDOM_FUNCTION, - alg, key_size); + transform = transform_substructure_create_type(subtype, + PSEUDO_RANDOM_FUNCTION, alg, key_size); add_transform_substructure(this, transform); } enumerator->destroy(enumerator); @@ -441,8 +717,8 @@ proposal_substructure_t *proposal_substructure_create_from_proposal( enumerator = proposal->create_enumerator(proposal, DIFFIE_HELLMAN_GROUP); while (enumerator->enumerate(enumerator, &alg, NULL)) { - transform = transform_substructure_create_type(DIFFIE_HELLMAN_GROUP, - alg, 0); + transform = transform_substructure_create_type(subtype, + DIFFIE_HELLMAN_GROUP, alg, 0); add_transform_substructure(this, transform); } enumerator->destroy(enumerator); @@ -451,8 +727,8 @@ proposal_substructure_t *proposal_substructure_create_from_proposal( enumerator = proposal->create_enumerator(proposal, EXTENDED_SEQUENCE_NUMBERS); while (enumerator->enumerate(enumerator, &alg, NULL)) { - transform = transform_substructure_create_type(EXTENDED_SEQUENCE_NUMBERS, - alg, 0); + transform = transform_substructure_create_type(subtype, + EXTENDED_SEQUENCE_NUMBERS, alg, 0); add_transform_substructure(this, transform); } enumerator->destroy(enumerator); -- cgit v1.2.3 From 3a470f303542dfb127eb8b17553da06a92892ebb Mon Sep 17 00:00:00 2001 From: Martin Willi Date: Wed, 16 Nov 2011 18:24:14 +0100 Subject: Added limiting encoding of IKEv1 SA payloads --- .../encoding/payloads/proposal_substructure.c | 274 ++++++++++++++++----- 1 file changed, 209 insertions(+), 65 deletions(-) (limited to 'src/libcharon/encoding/payloads/proposal_substructure.c') diff --git a/src/libcharon/encoding/payloads/proposal_substructure.c b/src/libcharon/encoding/payloads/proposal_substructure.c index efa748bd0..2a033b6a8 100644 --- a/src/libcharon/encoding/payloads/proposal_substructure.c +++ b/src/libcharon/encoding/payloads/proposal_substructure.c @@ -432,64 +432,78 @@ static void add_to_proposal_v2(proposal_t *proposal, transform->get_transform_id(transform), key_length); } +/** + * Map IKEv1 to IKEv2 algorithms + */ +typedef struct { + u_int16_t ikev1; + u_int16_t ikev2; +} algo_map_t; + +/** + * Encryption algorithm mapping + */ +static algo_map_t map_encr[] = { + { IKEV1_ENCR_DES_CBC, ENCR_DES }, + { IKEV1_ENCR_IDEA_CBC, ENCR_IDEA }, + { IKEV1_ENCR_BLOWFISH_CBC, ENCR_BLOWFISH }, + { IKEV1_ENCR_3DES_CBC, ENCR_3DES }, + { IKEV1_ENCR_CAST_CBC, ENCR_CAST }, + { IKEV1_ENCR_AES_CBC, ENCR_AES_CBC }, + { IKEV1_ENCR_CAMELLIA_CBC, ENCR_CAMELLIA_CBC }, +}; + +/** + * Integrity algorithm mapping + */ +static algo_map_t map_integ[] = { + { IKEV1_HASH_MD5, AUTH_HMAC_MD5_96 }, + { IKEV1_HASH_SHA1, AUTH_HMAC_SHA1_96 }, + { IKEV1_HASH_SHA2_256, AUTH_HMAC_SHA2_256_128 }, + { IKEV1_HASH_SHA2_384, AUTH_HMAC_SHA2_384_192 }, + { IKEV1_HASH_SHA2_512, AUTH_HMAC_SHA2_512_256 }, +}; + +/** + * PRF algorithm mapping + */ +static algo_map_t map_prf[] = { + { IKEV1_HASH_MD5, PRF_HMAC_MD5 }, + { IKEV1_HASH_SHA1, PRF_HMAC_SHA1 }, + { IKEV1_HASH_SHA2_256, PRF_HMAC_SHA2_256 }, + { IKEV1_HASH_SHA2_384, PRF_HMAC_SHA2_384 }, + { IKEV1_HASH_SHA2_512, PRF_HMAC_SHA2_512 }, +}; + /** * Get IKEv2 algorithm from IKEv1 identifier */ static u_int16_t get_alg_from_ikev1(transform_type_t type, u_int16_t value) { - typedef struct { - u_int16_t ikev1; - u_int16_t ikev2; - } algo_map_t; - - static algo_map_t encr[] = { - { IKEV1_ENCR_DES_CBC, ENCR_DES }, - { IKEV1_ENCR_IDEA_CBC, ENCR_IDEA }, - { IKEV1_ENCR_BLOWFISH_CBC, ENCR_BLOWFISH }, - { IKEV1_ENCR_3DES_CBC, ENCR_3DES }, - { IKEV1_ENCR_CAST_CBC, ENCR_CAST }, - { IKEV1_ENCR_AES_CBC, ENCR_AES_CBC }, - { IKEV1_ENCR_CAMELLIA_CBC, ENCR_CAMELLIA_CBC }, - }; - static algo_map_t integ[] = { - { IKEV1_HASH_MD5, AUTH_HMAC_MD5_96 }, - { IKEV1_HASH_SHA1, AUTH_HMAC_SHA1_96 }, - { IKEV1_HASH_SHA2_256, AUTH_HMAC_SHA2_256_128 }, - { IKEV1_HASH_SHA2_384, AUTH_HMAC_SHA2_384_192 }, - { IKEV1_HASH_SHA2_512, AUTH_HMAC_SHA2_512_256 }, - }; - static algo_map_t prf[] = { - { IKEV1_HASH_MD5, PRF_HMAC_MD5 }, - { IKEV1_HASH_SHA1, PRF_HMAC_SHA1 }, - { IKEV1_HASH_SHA2_256, PRF_HMAC_SHA2_256 }, - { IKEV1_HASH_SHA2_384, PRF_HMAC_SHA2_384 }, - { IKEV1_HASH_SHA2_512, PRF_HMAC_SHA2_512 }, - }; - int i, count; - u_int16_t def; algo_map_t *map; + u_int16_t def; + int i, count; switch (type) { case ENCRYPTION_ALGORITHM: - map = encr; - count = countof(encr); + map = map_encr; + count = countof(map_encr); def = ENCR_UNDEFINED; break; case INTEGRITY_ALGORITHM: - map = integ; - count = countof(integ); + map = map_integ; + count = countof(map_integ); def = AUTH_UNDEFINED; break; case PSEUDO_RANDOM_FUNCTION: - map = prf; - count = countof(prf); + map = map_prf; + count = countof(map_prf); def = PRF_UNDEFINED; break; default: return 0; } - for (i = 0; i < count; i++) { if (map[i].ikev1 == value) @@ -500,6 +514,41 @@ static u_int16_t get_alg_from_ikev1(transform_type_t type, u_int16_t value) return def; } +/** + * Get IKEv1 algorithm from IKEv2 identifier + */ +static u_int16_t get_ikev1_from_alg(transform_type_t type, u_int16_t value) +{ + algo_map_t *map; + int i, count; + + switch (type) + { + case ENCRYPTION_ALGORITHM: + map = map_encr; + count = countof(map_encr); + break; + case INTEGRITY_ALGORITHM: + map = map_integ; + count = countof(map_integ); + break; + case PSEUDO_RANDOM_FUNCTION: + map = map_prf; + count = countof(map_prf); + break; + default: + return 0; + } + for (i = 0; i < count; i++) + { + if (map[i].ikev2 == value) + { + return map[i].ikev1; + } + } + return 0; +} + /** * Add an IKE transform to a proposal for IKEv1 */ @@ -606,7 +655,6 @@ METHOD(proposal_substructure_t, get_proposal, proposal_t*, default: break; } - return proposal; } @@ -663,32 +711,97 @@ proposal_substructure_t *proposal_substructure_create(payload_type_t type) return &this->public; } -/* - * Described in header. +/** + * Add an IKEv1 IKE proposal to the substructure */ -proposal_substructure_t *proposal_substructure_create_from_proposal( - payload_type_t type, proposal_t *proposal) +static void set_from_proposal_v1_ike(private_proposal_substructure_t *this, + proposal_t *proposal) { transform_substructure_t *transform; - private_proposal_substructure_t *this; u_int16_t alg, key_size; enumerator_t *enumerator; - payload_type_t subtype = TRANSFORM_SUBSTRUCTURE; - if (type == PROPOSAL_SUBSTRUCTURE_V1) + transform = transform_substructure_create_type(TRANSFORM_SUBSTRUCTURE_V1, + 0, IKEV1_TRANSID_KEY_IKE); + + enumerator = proposal->create_enumerator(proposal, ENCRYPTION_ALGORITHM); + while (enumerator->enumerate(enumerator, &alg, &key_size)) + { + alg = get_ikev1_from_alg(ENCRYPTION_ALGORITHM, alg); + if (alg) + { + transform->add_transform_attribute(transform, + transform_attribute_create_value(TRANSFORM_ATTRIBUTE_V1, + TATTR_PH1_ENCRYPTION_ALGORITHM, alg)); + if (key_size) + { + transform->add_transform_attribute(transform, + transform_attribute_create_value(TRANSFORM_ATTRIBUTE_V1, + TATTR_PH1_KEY_LENGTH, key_size)); + } + } + } + enumerator->destroy(enumerator); + + /* encode the integrity algorithm as hash and assume use the same PRF */ + enumerator = proposal->create_enumerator(proposal, INTEGRITY_ALGORITHM); + while (enumerator->enumerate(enumerator, &alg, &key_size)) { - /* TODO-IKEv1: IKEv1 specific proposal encoding */ - subtype = TRANSFORM_SUBSTRUCTURE_V1; + alg = get_ikev1_from_alg(INTEGRITY_ALGORITHM, alg); + if (alg) + { + transform->add_transform_attribute(transform, + transform_attribute_create_value(TRANSFORM_ATTRIBUTE_V1, + TATTR_PH1_HASH_ALGORITHM, alg)); + } } + enumerator->destroy(enumerator); - this = (private_proposal_substructure_t*)proposal_substructure_create(type); + enumerator = proposal->create_enumerator(proposal, DIFFIE_HELLMAN_GROUP); + while (enumerator->enumerate(enumerator, &alg, &key_size)) + { + transform->add_transform_attribute(transform, + transform_attribute_create_value(TRANSFORM_ATTRIBUTE_V1, + TATTR_PH1_GROUP, alg)); + } + enumerator->destroy(enumerator); + + /* TODO-IKEv1: Add lifetime, auth and other attributes */ + + add_transform_substructure(this, transform); +} + +/** + * Add an IKEv1 ESP proposal to the substructure + */ +static void set_from_proposal_v1_esp(private_proposal_substructure_t *this, + proposal_t *proposal) +{ + /* TODO-IKEv1: add ESP proposal to transform substr */ +} + +/** + * Add an IKEv2 proposal to the substructure + */ +static void set_from_proposal_v2(private_proposal_substructure_t *this, + proposal_t *proposal) +{ + transform_substructure_t *transform; + u_int16_t alg, key_size; + enumerator_t *enumerator; /* encryption algorithm is only available in ESP */ enumerator = proposal->create_enumerator(proposal, ENCRYPTION_ALGORITHM); while (enumerator->enumerate(enumerator, &alg, &key_size)) { - transform = transform_substructure_create_type(subtype, - ENCRYPTION_ALGORITHM, alg, key_size); + transform = transform_substructure_create_type(TRANSFORM_SUBSTRUCTURE, + ENCRYPTION_ALGORITHM, alg); + if (key_size) + { + transform->add_transform_attribute(transform, + transform_attribute_create_value(TRANSFORM_ATTRIBUTE, + TATTR_IKEV2_KEY_LENGTH, key_size)); + } add_transform_substructure(this, transform); } enumerator->destroy(enumerator); @@ -697,8 +810,8 @@ proposal_substructure_t *proposal_substructure_create_from_proposal( enumerator = proposal->create_enumerator(proposal, INTEGRITY_ALGORITHM); while (enumerator->enumerate(enumerator, &alg, &key_size)) { - transform = transform_substructure_create_type(subtype, - INTEGRITY_ALGORITHM, alg, key_size); + transform = transform_substructure_create_type(TRANSFORM_SUBSTRUCTURE, + INTEGRITY_ALGORITHM, alg); add_transform_substructure(this, transform); } enumerator->destroy(enumerator); @@ -707,8 +820,8 @@ proposal_substructure_t *proposal_substructure_create_from_proposal( enumerator = proposal->create_enumerator(proposal, PSEUDO_RANDOM_FUNCTION); while (enumerator->enumerate(enumerator, &alg, &key_size)) { - transform = transform_substructure_create_type(subtype, - PSEUDO_RANDOM_FUNCTION, alg, key_size); + transform = transform_substructure_create_type(TRANSFORM_SUBSTRUCTURE, + PSEUDO_RANDOM_FUNCTION, alg); add_transform_substructure(this, transform); } enumerator->destroy(enumerator); @@ -717,8 +830,8 @@ proposal_substructure_t *proposal_substructure_create_from_proposal( enumerator = proposal->create_enumerator(proposal, DIFFIE_HELLMAN_GROUP); while (enumerator->enumerate(enumerator, &alg, NULL)) { - transform = transform_substructure_create_type(subtype, - DIFFIE_HELLMAN_GROUP, alg, 0); + transform = transform_substructure_create_type(TRANSFORM_SUBSTRUCTURE, + DIFFIE_HELLMAN_GROUP, alg); add_transform_substructure(this, transform); } enumerator->destroy(enumerator); @@ -727,27 +840,58 @@ proposal_substructure_t *proposal_substructure_create_from_proposal( enumerator = proposal->create_enumerator(proposal, EXTENDED_SEQUENCE_NUMBERS); while (enumerator->enumerate(enumerator, &alg, NULL)) { - transform = transform_substructure_create_type(subtype, - EXTENDED_SEQUENCE_NUMBERS, alg, 0); + transform = transform_substructure_create_type(TRANSFORM_SUBSTRUCTURE, + EXTENDED_SEQUENCE_NUMBERS, alg); add_transform_substructure(this, transform); } enumerator->destroy(enumerator); +} + +/* + * Described in header. + */ +proposal_substructure_t *proposal_substructure_create_from_proposal( + payload_type_t type, proposal_t *proposal) +{ + private_proposal_substructure_t *this; + u_int64_t spi64; + u_int32_t spi32; + + this = (private_proposal_substructure_t*)proposal_substructure_create(type); + if (type == PROPOSAL_SUBSTRUCTURE) + { + set_from_proposal_v2(this, proposal); + } + else + { + switch (proposal->get_protocol(proposal)) + { + case PROTO_IKE: + set_from_proposal_v1_ike(this, proposal); + break; + case PROTO_ESP: + set_from_proposal_v1_esp(this, proposal); + break; + default: + break; + } + } /* add SPI, if necessary */ switch (proposal->get_protocol(proposal)) { case PROTO_AH: case PROTO_ESP: - this->spi_size = this->spi.len = 4; - this->spi.ptr = malloc(this->spi_size); - *((u_int32_t*)this->spi.ptr) = proposal->get_spi(proposal); + spi32 = proposal->get_spi(proposal); + this->spi = chunk_clone(chunk_from_thing(spi32)); + this->spi_size = this->spi.len; break; case PROTO_IKE: - if (proposal->get_spi(proposal)) + spi64 = proposal->get_spi(proposal); + if (spi64) { /* IKE only uses SPIS when rekeying, but on initial setup */ - this->spi_size = this->spi.len = 8; - this->spi.ptr = malloc(this->spi_size); - *((u_int64_t*)this->spi.ptr) = proposal->get_spi(proposal); + this->spi = chunk_clone(chunk_from_thing(spi64)); + this->spi_size = this->spi.len; } break; default: -- cgit v1.2.3 From 717333da98b45590035fc4461538882428191e40 Mon Sep 17 00:00:00 2001 From: Martin Willi Date: Thu, 17 Nov 2011 10:45:41 +0100 Subject: Add fixed PSK authentication method to IKEv1 proposal for now --- src/libcharon/encoding/payloads/proposal_substructure.c | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) (limited to 'src/libcharon/encoding/payloads/proposal_substructure.c') diff --git a/src/libcharon/encoding/payloads/proposal_substructure.c b/src/libcharon/encoding/payloads/proposal_substructure.c index 2a033b6a8..40caef858 100644 --- a/src/libcharon/encoding/payloads/proposal_substructure.c +++ b/src/libcharon/encoding/payloads/proposal_substructure.c @@ -228,6 +228,17 @@ typedef enum { IKEV1_LIFE_TYPE_KILOBYTES = 2, } ikev1_life_type_t; +/** + * IKEv1 authenticaiton methods + */ +typedef enum { + IKEV1_AUTH_PSK = 1, + IKEV1_AUTH_DSS_SIG = 2, + IKEV1_AUTH_RSA_SIG = 3, + IKEV1_AUTH_RSA_ENC = 4, + IKEV1_AUTH_RSA_ENC_REV = 5, +} ikev1_auth_method_t; + METHOD(payload_t, verify, status_t, private_proposal_substructure_t *this) { @@ -766,7 +777,10 @@ static void set_from_proposal_v1_ike(private_proposal_substructure_t *this, } enumerator->destroy(enumerator); - /* TODO-IKEv1: Add lifetime, auth and other attributes */ + /* TODO-IKEv1: Add lifetime, non-fixed auth-method and other attributes */ + transform->add_transform_attribute(transform, + transform_attribute_create_value(TRANSFORM_ATTRIBUTE_V1, + TATTR_PH1_AUTH_METHOD, IKEV1_AUTH_PSK)); add_transform_substructure(this, transform); } -- cgit v1.2.3 From e9b55b832546d05f464bdddbe779ed21cd17b624 Mon Sep 17 00:00:00 2001 From: Martin Willi Date: Thu, 17 Nov 2011 11:27:55 +0100 Subject: Simplify signature of get_encoding_rules(), make all rules static --- src/libcharon/encoding/payloads/proposal_substructure.c | 14 +++++--------- 1 file changed, 5 insertions(+), 9 deletions(-) (limited to 'src/libcharon/encoding/payloads/proposal_substructure.c') diff --git a/src/libcharon/encoding/payloads/proposal_substructure.c b/src/libcharon/encoding/payloads/proposal_substructure.c index 40caef858..3b663da86 100644 --- a/src/libcharon/encoding/payloads/proposal_substructure.c +++ b/src/libcharon/encoding/payloads/proposal_substructure.c @@ -296,20 +296,16 @@ METHOD(payload_t, verify, status_t, return status; } -METHOD(payload_t, get_encoding_rules, void, - private_proposal_substructure_t *this, encoding_rule_t **rules, - size_t *rule_count) +METHOD(payload_t, get_encoding_rules, int, + private_proposal_substructure_t *this, encoding_rule_t **rules) { if (this->type == PROPOSAL_SUBSTRUCTURE) { *rules = encodings_v2; - *rule_count = countof(encodings_v2); - } - else - { - *rules = encodings_v1; - *rule_count = countof(encodings_v1); + return countof(encodings_v2); } + *rules = encodings_v1; + return countof(encodings_v1); } METHOD(payload_t, get_type, payload_type_t, -- cgit v1.2.3 From 38fb67fbf18489f40845b072e4ed50b1f6cf0c9c Mon Sep 17 00:00:00 2001 From: Martin Willi Date: Thu, 17 Nov 2011 11:27:46 +0000 Subject: Add a payload.get_header_length() method, remove header length definitions --- src/libcharon/encoding/payloads/proposal_substructure.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) (limited to 'src/libcharon/encoding/payloads/proposal_substructure.c') diff --git a/src/libcharon/encoding/payloads/proposal_substructure.c b/src/libcharon/encoding/payloads/proposal_substructure.c index 3b663da86..16d5794ae 100644 --- a/src/libcharon/encoding/payloads/proposal_substructure.c +++ b/src/libcharon/encoding/payloads/proposal_substructure.c @@ -308,6 +308,12 @@ METHOD(payload_t, get_encoding_rules, int, return countof(encodings_v1); } +METHOD(payload_t, get_header_length, int, + private_proposal_substructure_t *this) +{ + return 8 + this->spi_size; +} + METHOD(payload_t, get_type, payload_type_t, private_proposal_substructure_t *this) { @@ -334,7 +340,7 @@ static void compute_length(private_proposal_substructure_t *this) payload_t *transform; this->transforms_count = 0; - this->proposal_length = PROPOSAL_SUBSTRUCTURE_HEADER_LENGTH + this->spi.len; + this->proposal_length = get_header_length(this); enumerator = this->transforms->create_enumerator(this->transforms); while (enumerator->enumerate(enumerator, &transform)) { @@ -692,6 +698,7 @@ proposal_substructure_t *proposal_substructure_create(payload_type_t type) .payload_interface = { .verify = _verify, .get_encoding_rules = _get_encoding_rules, + .get_header_length = _get_header_length, .get_length = _get_length, .get_next_type = _get_next_type, .set_next_type = _set_next_type, @@ -710,10 +717,10 @@ proposal_substructure_t *proposal_substructure_create(payload_type_t type) .destroy = _destroy, }, .next_payload = NO_PAYLOAD, - .proposal_length = PROPOSAL_SUBSTRUCTURE_HEADER_LENGTH, .transforms = linked_list_create(), .type = type, ); + compute_length(this); return &this->public; } -- cgit v1.2.3 From f62a7c7c7192d791eb4c10e7ff4d09cf54c7d4da Mon Sep 17 00:00:00 2001 From: Martin Willi Date: Thu, 17 Nov 2011 15:44:42 +0100 Subject: Use a generic list encoding rule we can use to specify the wrapped payload type --- src/libcharon/encoding/payloads/proposal_substructure.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) (limited to 'src/libcharon/encoding/payloads/proposal_substructure.c') diff --git a/src/libcharon/encoding/payloads/proposal_substructure.c b/src/libcharon/encoding/payloads/proposal_substructure.c index 16d5794ae..aa3f0674f 100644 --- a/src/libcharon/encoding/payloads/proposal_substructure.c +++ b/src/libcharon/encoding/payloads/proposal_substructure.c @@ -112,9 +112,9 @@ static encoding_rule_t encodings_v1[] = { { U_INT_8, offsetof(private_proposal_substructure_t, transforms_count) }, /* SPI is a chunk of variable size*/ { SPI, offsetof(private_proposal_substructure_t, spi) }, - /* Transforms are stored in a transform substructure, - offset points to a linked_list_t pointer */ - { TRANSFORMS_V1, offsetof(private_proposal_substructure_t, transforms) } + /* Transforms are stored in a transform substructure list */ + { PAYLOAD_LIST + TRANSFORM_SUBSTRUCTURE_V1, + offsetof(private_proposal_substructure_t, transforms) }, }; /** @@ -137,9 +137,9 @@ static encoding_rule_t encodings_v2[] = { { U_INT_8, offsetof(private_proposal_substructure_t, transforms_count) }, /* SPI is a chunk of variable size*/ { SPI, offsetof(private_proposal_substructure_t, spi) }, - /* Transforms are stored in a transform substructure, - offset points to a linked_list_t pointer */ - { TRANSFORMS, offsetof(private_proposal_substructure_t, transforms) } + /* Transforms are stored in a transform substructure list */ + { PAYLOAD_LIST + TRANSFORM_SUBSTRUCTURE, + offsetof(private_proposal_substructure_t, transforms) }, }; /* -- cgit v1.2.3 From 04ee2b7fed91b4430ba4870a2f1b98ee3e228f50 Mon Sep 17 00:00:00 2001 From: Martin Willi Date: Thu, 17 Nov 2011 18:01:41 +0100 Subject: Added IKEv1 support to notify payload --- src/libcharon/encoding/payloads/proposal_substructure.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'src/libcharon/encoding/payloads/proposal_substructure.c') diff --git a/src/libcharon/encoding/payloads/proposal_substructure.c b/src/libcharon/encoding/payloads/proposal_substructure.c index aa3f0674f..20f4e223d 100644 --- a/src/libcharon/encoding/payloads/proposal_substructure.c +++ b/src/libcharon/encoding/payloads/proposal_substructure.c @@ -780,10 +780,10 @@ static void set_from_proposal_v1_ike(private_proposal_substructure_t *this, } enumerator->destroy(enumerator); - /* TODO-IKEv1: Add lifetime, non-fixed auth-method and other attributes */ + /* TODO-IKEv1: Add lifetime, non-fixed auth-method and other attributes transform->add_transform_attribute(transform, transform_attribute_create_value(TRANSFORM_ATTRIBUTE_V1, - TATTR_PH1_AUTH_METHOD, IKEV1_AUTH_PSK)); + TATTR_PH1_AUTH_METHOD, IKEV1_AUTH_PSK));*/ add_transform_substructure(this, transform); } -- cgit v1.2.3 From 72b3146092fdf426a13fbc50f10b2cfab5ecd9c4 Mon Sep 17 00:00:00 2001 From: Martin Willi Date: Fri, 18 Nov 2011 09:16:54 +0100 Subject: Re-enable static inclusion of PSK auth method into IKEv1 proposal --- src/libcharon/encoding/payloads/proposal_substructure.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'src/libcharon/encoding/payloads/proposal_substructure.c') diff --git a/src/libcharon/encoding/payloads/proposal_substructure.c b/src/libcharon/encoding/payloads/proposal_substructure.c index 20f4e223d..aa3f0674f 100644 --- a/src/libcharon/encoding/payloads/proposal_substructure.c +++ b/src/libcharon/encoding/payloads/proposal_substructure.c @@ -780,10 +780,10 @@ static void set_from_proposal_v1_ike(private_proposal_substructure_t *this, } enumerator->destroy(enumerator); - /* TODO-IKEv1: Add lifetime, non-fixed auth-method and other attributes + /* TODO-IKEv1: Add lifetime, non-fixed auth-method and other attributes */ transform->add_transform_attribute(transform, transform_attribute_create_value(TRANSFORM_ATTRIBUTE_V1, - TATTR_PH1_AUTH_METHOD, IKEV1_AUTH_PSK));*/ + TATTR_PH1_AUTH_METHOD, IKEV1_AUTH_PSK)); add_transform_substructure(this, transform); } -- cgit v1.2.3 From cc9629d87cb913d0587634b55b05dcf7129875b2 Mon Sep 17 00:00:00 2001 From: Martin Willi Date: Mon, 21 Nov 2011 17:40:42 +0100 Subject: Partially implemented IKEv1 ESP proposal en-/decoding --- .../encoding/payloads/proposal_substructure.c | 75 +++++++++++++++++++++- 1 file changed, 73 insertions(+), 2 deletions(-) (limited to 'src/libcharon/encoding/payloads/proposal_substructure.c') diff --git a/src/libcharon/encoding/payloads/proposal_substructure.c b/src/libcharon/encoding/payloads/proposal_substructure.c index aa3f0674f..8ef993138 100644 --- a/src/libcharon/encoding/payloads/proposal_substructure.c +++ b/src/libcharon/encoding/payloads/proposal_substructure.c @@ -616,7 +616,38 @@ static void add_to_proposal_v1_ike(proposal_t *proposal, static void add_to_proposal_v1_esp(proposal_t *proposal, transform_substructure_t *transform) { - /* TODO-IKEv1: create ESP proposals */ + transform_attribute_type_t type; + transform_attribute_t *tattr; + enumerator_t *enumerator; + u_int16_t value, key_length = 0; + + enumerator = transform->create_attribute_enumerator(transform); + while (enumerator->enumerate(enumerator, &tattr)) + { + type = tattr->get_attribute_type(tattr); + value = tattr->get_value(tattr); + switch (type) + { + case TATTR_PH2_KEY_LENGTH: + key_length = value; + break; + case TATTR_PH2_AUTH_ALGORITHM: + proposal->add_algorithm(proposal, INTEGRITY_ALGORITHM, + get_alg_from_ikev1(INTEGRITY_ALGORITHM, value), 0); + break; + default: + /* TODO-IKEv1: lifetimes other attributes */ + break; + } + } + enumerator->destroy(enumerator); + + /* TODO-IKEv1: handle ESN attribute */ + proposal->add_algorithm(proposal, EXTENDED_SEQUENCE_NUMBERS, + NO_EXT_SEQ_NUMBERS, 0); + + proposal->add_algorithm(proposal, ENCRYPTION_ALGORITHM, + transform->get_transform_id(transform), key_length); } METHOD(proposal_substructure_t, get_proposal, proposal_t*, @@ -794,7 +825,47 @@ static void set_from_proposal_v1_ike(private_proposal_substructure_t *this, static void set_from_proposal_v1_esp(private_proposal_substructure_t *this, proposal_t *proposal) { - /* TODO-IKEv1: add ESP proposal to transform substr */ + transform_substructure_t *transform = NULL; + u_int16_t alg, key_size; + enumerator_t *enumerator; + + enumerator = proposal->create_enumerator(proposal, ENCRYPTION_ALGORITHM); + if (enumerator->enumerate(enumerator, &alg, &key_size)) + { + transform = transform_substructure_create_type(TRANSFORM_SUBSTRUCTURE_V1, + 0, alg); + if (key_size) + { + transform->add_transform_attribute(transform, + transform_attribute_create_value(TRANSFORM_ATTRIBUTE_V1, + TATTR_PH2_KEY_LENGTH, key_size)); + } + } + enumerator->destroy(enumerator); + if (!transform) + { + return; + } + + enumerator = proposal->create_enumerator(proposal, INTEGRITY_ALGORITHM); + while (enumerator->enumerate(enumerator, &alg, &key_size)) + { + alg = get_ikev1_from_alg(INTEGRITY_ALGORITHM, alg); + if (alg) + { + transform->add_transform_attribute(transform, + transform_attribute_create_value(TRANSFORM_ATTRIBUTE_V1, + TATTR_PH2_AUTH_ALGORITHM, alg)); + } + } + enumerator->destroy(enumerator); + + /* TODO-IKEv1: Add lifetime and other attributes, non-fixes ESN */ + transform->add_transform_attribute(transform, + transform_attribute_create_value(TRANSFORM_ATTRIBUTE_V1, + TATTR_PH2_EXT_SEQ_NUMBER, NO_EXT_SEQ_NUMBERS)); + + add_transform_substructure(this, transform); } /** -- cgit v1.2.3 From f5c00960862b1aeb0ed3d6e18f24e9f4d98dff70 Mon Sep 17 00:00:00 2001 From: Martin Willi Date: Tue, 22 Nov 2011 12:37:08 +0100 Subject: Hardcode some SA lifetimes until we can configure them dynamically --- src/libcharon/encoding/payloads/proposal_substructure.c | 12 ++++++++++++ 1 file changed, 12 insertions(+) (limited to 'src/libcharon/encoding/payloads/proposal_substructure.c') diff --git a/src/libcharon/encoding/payloads/proposal_substructure.c b/src/libcharon/encoding/payloads/proposal_substructure.c index 8ef993138..f0b6041bf 100644 --- a/src/libcharon/encoding/payloads/proposal_substructure.c +++ b/src/libcharon/encoding/payloads/proposal_substructure.c @@ -815,6 +815,12 @@ static void set_from_proposal_v1_ike(private_proposal_substructure_t *this, transform->add_transform_attribute(transform, transform_attribute_create_value(TRANSFORM_ATTRIBUTE_V1, TATTR_PH1_AUTH_METHOD, IKEV1_AUTH_PSK)); + transform->add_transform_attribute(transform, + transform_attribute_create_value(TRANSFORM_ATTRIBUTE_V1, + TATTR_PH1_LIFE_TYPE, IKEV1_LIFE_TYPE_SECONDS)); + transform->add_transform_attribute(transform, + transform_attribute_create_value(TRANSFORM_ATTRIBUTE_V1, + TATTR_PH1_LIFE_DURATION, 10800)); add_transform_substructure(this, transform); } @@ -864,6 +870,12 @@ static void set_from_proposal_v1_esp(private_proposal_substructure_t *this, transform->add_transform_attribute(transform, transform_attribute_create_value(TRANSFORM_ATTRIBUTE_V1, TATTR_PH2_EXT_SEQ_NUMBER, NO_EXT_SEQ_NUMBERS)); + transform->add_transform_attribute(transform, + transform_attribute_create_value(TRANSFORM_ATTRIBUTE_V1, + TATTR_PH2_SA_LIFE_TYPE, IKEV1_LIFE_TYPE_SECONDS)); + transform->add_transform_attribute(transform, + transform_attribute_create_value(TRANSFORM_ATTRIBUTE_V1, + TATTR_PH2_SA_LIFE_DURATION, 3600)); add_transform_substructure(this, transform); } -- cgit v1.2.3 From cd89f1a07429f457c0759ef00dfa68d02f224735 Mon Sep 17 00:00:00 2001 From: Martin Willi Date: Tue, 22 Nov 2011 16:16:19 +0100 Subject: Only add the first algorithm of a kind to IKEv1 transforms --- src/libcharon/encoding/payloads/proposal_substructure.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) (limited to 'src/libcharon/encoding/payloads/proposal_substructure.c') diff --git a/src/libcharon/encoding/payloads/proposal_substructure.c b/src/libcharon/encoding/payloads/proposal_substructure.c index f0b6041bf..0555cba93 100644 --- a/src/libcharon/encoding/payloads/proposal_substructure.c +++ b/src/libcharon/encoding/payloads/proposal_substructure.c @@ -770,7 +770,7 @@ static void set_from_proposal_v1_ike(private_proposal_substructure_t *this, 0, IKEV1_TRANSID_KEY_IKE); enumerator = proposal->create_enumerator(proposal, ENCRYPTION_ALGORITHM); - while (enumerator->enumerate(enumerator, &alg, &key_size)) + if (enumerator->enumerate(enumerator, &alg, &key_size)) { alg = get_ikev1_from_alg(ENCRYPTION_ALGORITHM, alg); if (alg) @@ -790,7 +790,7 @@ static void set_from_proposal_v1_ike(private_proposal_substructure_t *this, /* encode the integrity algorithm as hash and assume use the same PRF */ enumerator = proposal->create_enumerator(proposal, INTEGRITY_ALGORITHM); - while (enumerator->enumerate(enumerator, &alg, &key_size)) + if (enumerator->enumerate(enumerator, &alg, &key_size)) { alg = get_ikev1_from_alg(INTEGRITY_ALGORITHM, alg); if (alg) @@ -803,7 +803,7 @@ static void set_from_proposal_v1_ike(private_proposal_substructure_t *this, enumerator->destroy(enumerator); enumerator = proposal->create_enumerator(proposal, DIFFIE_HELLMAN_GROUP); - while (enumerator->enumerate(enumerator, &alg, &key_size)) + if (enumerator->enumerate(enumerator, &alg, &key_size)) { transform->add_transform_attribute(transform, transform_attribute_create_value(TRANSFORM_ATTRIBUTE_V1, @@ -854,7 +854,7 @@ static void set_from_proposal_v1_esp(private_proposal_substructure_t *this, } enumerator = proposal->create_enumerator(proposal, INTEGRITY_ALGORITHM); - while (enumerator->enumerate(enumerator, &alg, &key_size)) + if (enumerator->enumerate(enumerator, &alg, &key_size)) { alg = get_ikev1_from_alg(INTEGRITY_ALGORITHM, alg); if (alg) -- cgit v1.2.3 From 62a27ba347042fe8cafc500520f0e2cf036b07d4 Mon Sep 17 00:00:00 2001 From: Martin Willi Date: Tue, 22 Nov 2011 16:47:17 +0100 Subject: Encode multiple IKEv1 proposals in a single transform substructure --- .../encoding/payloads/proposal_substructure.c | 52 +++++++++++++++++++--- 1 file changed, 46 insertions(+), 6 deletions(-) (limited to 'src/libcharon/encoding/payloads/proposal_substructure.c') diff --git a/src/libcharon/encoding/payloads/proposal_substructure.c b/src/libcharon/encoding/payloads/proposal_substructure.c index 0555cba93..a1c58afb6 100644 --- a/src/libcharon/encoding/payloads/proposal_substructure.c +++ b/src/libcharon/encoding/payloads/proposal_substructure.c @@ -760,14 +760,14 @@ proposal_substructure_t *proposal_substructure_create(payload_type_t type) * Add an IKEv1 IKE proposal to the substructure */ static void set_from_proposal_v1_ike(private_proposal_substructure_t *this, - proposal_t *proposal) + proposal_t *proposal, int number) { transform_substructure_t *transform; u_int16_t alg, key_size; enumerator_t *enumerator; transform = transform_substructure_create_type(TRANSFORM_SUBSTRUCTURE_V1, - 0, IKEV1_TRANSID_KEY_IKE); + number, IKEV1_TRANSID_KEY_IKE); enumerator = proposal->create_enumerator(proposal, ENCRYPTION_ALGORITHM); if (enumerator->enumerate(enumerator, &alg, &key_size)) @@ -829,7 +829,7 @@ static void set_from_proposal_v1_ike(private_proposal_substructure_t *this, * Add an IKEv1 ESP proposal to the substructure */ static void set_from_proposal_v1_esp(private_proposal_substructure_t *this, - proposal_t *proposal) + proposal_t *proposal, int number) { transform_substructure_t *transform = NULL; u_int16_t alg, key_size; @@ -839,7 +839,7 @@ static void set_from_proposal_v1_esp(private_proposal_substructure_t *this, if (enumerator->enumerate(enumerator, &alg, &key_size)) { transform = transform_substructure_create_type(TRANSFORM_SUBSTRUCTURE_V1, - 0, alg); + number, alg); if (key_size) { transform->add_transform_attribute(transform, @@ -968,10 +968,10 @@ proposal_substructure_t *proposal_substructure_create_from_proposal( switch (proposal->get_protocol(proposal)) { case PROTO_IKE: - set_from_proposal_v1_ike(this, proposal); + set_from_proposal_v1_ike(this, proposal, 0); break; case PROTO_ESP: - set_from_proposal_v1_esp(this, proposal); + set_from_proposal_v1_esp(this, proposal, 0); break; default: break; @@ -1003,3 +1003,43 @@ proposal_substructure_t *proposal_substructure_create_from_proposal( return &this->public; } + +/** + * See header. + */ +proposal_substructure_t *proposal_substructure_create_from_proposals( + linked_list_t *proposals) +{ + private_proposal_substructure_t *this = NULL; + enumerator_t *enumerator; + proposal_t *proposal; + int number = 0; + + enumerator = proposals->create_enumerator(proposals); + while (enumerator->enumerate(enumerator, &proposal)) + { + if (!this) + { + this = (private_proposal_substructure_t*) + proposal_substructure_create_from_proposal( + PROPOSAL_SUBSTRUCTURE_V1, proposal); + } + else + { + switch (proposal->get_protocol(proposal)) + { + case PROTO_IKE: + set_from_proposal_v1_ike(this, proposal, ++number); + break; + case PROTO_ESP: + set_from_proposal_v1_esp(this, proposal, ++number); + break; + default: + break; + } + } + } + enumerator->destroy(enumerator); + + return &this->public; +} -- cgit v1.2.3 From d50152a70bb109624d05249e11dda6c28a9a6422 Mon Sep 17 00:00:00 2001 From: Martin Willi Date: Tue, 22 Nov 2011 17:04:07 +0100 Subject: Parse proposal substructure with multiple IKEv1 transforms to multiple proposals --- .../encoding/payloads/proposal_substructure.c | 47 +++++++++++----------- 1 file changed, 24 insertions(+), 23 deletions(-) (limited to 'src/libcharon/encoding/payloads/proposal_substructure.c') diff --git a/src/libcharon/encoding/payloads/proposal_substructure.c b/src/libcharon/encoding/payloads/proposal_substructure.c index a1c58afb6..66fa8997b 100644 --- a/src/libcharon/encoding/payloads/proposal_substructure.c +++ b/src/libcharon/encoding/payloads/proposal_substructure.c @@ -650,18 +650,35 @@ static void add_to_proposal_v1_esp(proposal_t *proposal, transform->get_transform_id(transform), key_length); } -METHOD(proposal_substructure_t, get_proposal, proposal_t*, - private_proposal_substructure_t *this) +METHOD(proposal_substructure_t, get_proposals, void, + private_proposal_substructure_t *this, linked_list_t *proposals) { transform_substructure_t *transform; enumerator_t *enumerator; - proposal_t *proposal; + proposal_t *proposal = NULL; + u_int64_t spi = 0; - proposal = proposal_create(this->protocol_id, this->proposal_number); + switch (this->spi.len) + { + case 4: + spi = *((u_int32_t*)this->spi.ptr); + break; + case 8: + spi = *((u_int64_t*)this->spi.ptr); + break; + default: + break; + } enumerator = this->transforms->create_enumerator(this->transforms); while (enumerator->enumerate(enumerator, &transform)) { + if (!proposal) + { + proposal = proposal_create(this->protocol_id, this->proposal_number); + proposal->set_spi(proposal, spi); + proposals->insert_last(proposals, proposal); + } if (this->type == PROPOSAL_SUBSTRUCTURE) { add_to_proposal_v2(proposal, transform); @@ -679,27 +696,11 @@ METHOD(proposal_substructure_t, get_proposal, proposal_t*, default: break; } - /* TODO-IKEv1: We currently accept the first set of transforms - * in a substructure only. We need to return multiple proposals, - * but this messes up proposal numbering, as we don't support - * transform numbering. */ - break; + /* create a new proposal for each transform in IKEv1 */ + proposal = NULL; } } enumerator->destroy(enumerator); - - switch (this->spi.len) - { - case 4: - proposal->set_spi(proposal, *((u_int32_t*)this->spi.ptr)); - break; - case 8: - proposal->set_spi(proposal, *((u_int64_t*)this->spi.ptr)); - break; - default: - break; - } - return proposal; } METHOD(proposal_substructure_t, create_substructure_enumerator, enumerator_t*, @@ -741,7 +742,7 @@ proposal_substructure_t *proposal_substructure_create(payload_type_t type) .set_protocol_id = _set_protocol_id, .get_protocol_id = _get_protocol_id, .set_is_last_proposal = _set_is_last_proposal, - .get_proposal = _get_proposal, + .get_proposals = _get_proposals, .create_substructure_enumerator = _create_substructure_enumerator, .set_spi = _set_spi, .get_spi = _get_spi, -- cgit v1.2.3 From 7a7f486df6c4d0f87de0146ce1c10315c0e75093 Mon Sep 17 00:00:00 2001 From: Martin Willi Date: Wed, 23 Nov 2011 13:56:21 +0100 Subject: Include hardcoded tunnel mode attribute in porposal, remove ESN attribute --- src/libcharon/encoding/payloads/proposal_substructure.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'src/libcharon/encoding/payloads/proposal_substructure.c') diff --git a/src/libcharon/encoding/payloads/proposal_substructure.c b/src/libcharon/encoding/payloads/proposal_substructure.c index 66fa8997b..6173d07db 100644 --- a/src/libcharon/encoding/payloads/proposal_substructure.c +++ b/src/libcharon/encoding/payloads/proposal_substructure.c @@ -867,10 +867,10 @@ static void set_from_proposal_v1_esp(private_proposal_substructure_t *this, } enumerator->destroy(enumerator); - /* TODO-IKEv1: Add lifetime and other attributes, non-fixes ESN */ + /* TODO-IKEv1: Add lifetime and other attributes, ESN */ transform->add_transform_attribute(transform, transform_attribute_create_value(TRANSFORM_ATTRIBUTE_V1, - TATTR_PH2_EXT_SEQ_NUMBER, NO_EXT_SEQ_NUMBERS)); + TATTR_PH2_ENCAP_MODE, IKEV1_ENCAP_TUNNEL)); transform->add_transform_attribute(transform, transform_attribute_create_value(TRANSFORM_ATTRIBUTE_V1, TATTR_PH2_SA_LIFE_TYPE, IKEV1_LIFE_TYPE_SECONDS)); -- cgit v1.2.3 From 8b30286fcf99707dfd22601877c7b30c661ce4a2 Mon Sep 17 00:00:00 2001 From: Clavister OpenSource Date: Thu, 24 Nov 2011 11:37:36 +0100 Subject: IKEv1 XAuth: Add XAUTH authentication types to the enum. Added the ability to switch between hardcoded PSK and XAUTH_INIT_PSK authentications using a flag, default to PSK. --- src/libcharon/encoding/payloads/proposal_substructure.c | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) (limited to 'src/libcharon/encoding/payloads/proposal_substructure.c') diff --git a/src/libcharon/encoding/payloads/proposal_substructure.c b/src/libcharon/encoding/payloads/proposal_substructure.c index 6173d07db..924f5cb48 100644 --- a/src/libcharon/encoding/payloads/proposal_substructure.c +++ b/src/libcharon/encoding/payloads/proposal_substructure.c @@ -237,6 +237,16 @@ typedef enum { IKEV1_AUTH_RSA_SIG = 3, IKEV1_AUTH_RSA_ENC = 4, IKEV1_AUTH_RSA_ENC_REV = 5, + IKEV1_AUTH_XAUTH_INIT_PSK = 65001, + IKEV1_AUTH_XAUTH_RESP_PSK = 65002, + IKEV1_AUTH_XAUTH_INIT_DSS = 65003, + IKEV1_AUTH_XAUTH_RESP_DSS = 65004, + IKEV1_AUTH_XAUTH_INIT_RSA = 65005, + IKEV1_AUTH_XAUTH_RESP_RSA = 65006, + IKEV1_AUTH_XAUTH_INIT_RSA_ENC = 65007, + IKEV1_AUTH_XAUTH_RESP_RSA_ENC = 65008, + IKEV1_AUTH_XAUTH_INIT_RSA_ENC_REV = 65009, + IKEV1_AUTH_XAUTH_RESP_RSA_ENC_REV = 65010, } ikev1_auth_method_t; METHOD(payload_t, verify, status_t, @@ -813,9 +823,16 @@ static void set_from_proposal_v1_ike(private_proposal_substructure_t *this, enumerator->destroy(enumerator); /* TODO-IKEv1: Add lifetime, non-fixed auth-method and other attributes */ + if(1) /* TODO-IKEv1: Change to 0 if XAUTH is desired. */ + { transform->add_transform_attribute(transform, transform_attribute_create_value(TRANSFORM_ATTRIBUTE_V1, TATTR_PH1_AUTH_METHOD, IKEV1_AUTH_PSK)); + }else{ + transform->add_transform_attribute(transform, + transform_attribute_create_value(TRANSFORM_ATTRIBUTE_V1, + TATTR_PH1_AUTH_METHOD, IKEV1_AUTH_XAUTH_INIT_PSK)); + } transform->add_transform_attribute(transform, transform_attribute_create_value(TRANSFORM_ATTRIBUTE_V1, TATTR_PH1_LIFE_TYPE, IKEV1_LIFE_TYPE_SECONDS)); -- cgit v1.2.3 From fbebc2a068942d16c20f8439b140027395ba25a0 Mon Sep 17 00:00:00 2001 From: Martin Willi Date: Thu, 24 Nov 2011 12:52:11 +0100 Subject: Implemented encoding of additional IKEv1 proposal attributes --- .../encoding/payloads/proposal_substructure.c | 163 ++++++++++++++------- 1 file changed, 113 insertions(+), 50 deletions(-) (limited to 'src/libcharon/encoding/payloads/proposal_substructure.c') diff --git a/src/libcharon/encoding/payloads/proposal_substructure.c b/src/libcharon/encoding/payloads/proposal_substructure.c index 924f5cb48..11d684f5e 100644 --- a/src/libcharon/encoding/payloads/proposal_substructure.c +++ b/src/libcharon/encoding/payloads/proposal_substructure.c @@ -572,6 +572,41 @@ static u_int16_t get_ikev1_from_alg(transform_type_t type, u_int16_t value) return 0; } +/** + * Get IKEv1 authentication attribute from auth_method_t + */ +static u_int16_t get_ikev1_auth(auth_method_t method) +{ + switch (method) + { + case AUTH_RSA: + return IKEV1_AUTH_RSA_SIG; + case AUTH_DSS: + return IKEV1_AUTH_DSS_SIG; + default: + /* TODO-IKEv1: Handle XAUTH methods */ + /* TODO-IKEv1: Handle ECDSA methods */ + case AUTH_PSK: + return IKEV1_AUTH_PSK; + } +} + +/** + * Get IKEv1 encapsulation mode + */ +static u_int16_t get_ikev1_mode(ipsec_mode_t mode, bool udp) +{ + switch (mode) + { + case MODE_TUNNEL: + return udp ? IKEV1_ENCAP_UDP_TUNNEL : IKEV1_ENCAP_TUNNEL; + case MODE_TRANSPORT: + return udp ? IKEV1_ENCAP_UDP_TRANSPORT : IKEV1_ENCAP_TRANSPORT; + default: + return IKEV1_ENCAP_TUNNEL; + } +} + /** * Add an IKE transform to a proposal for IKEv1 */ @@ -771,7 +806,8 @@ proposal_substructure_t *proposal_substructure_create(payload_type_t type) * Add an IKEv1 IKE proposal to the substructure */ static void set_from_proposal_v1_ike(private_proposal_substructure_t *this, - proposal_t *proposal, int number) + proposal_t *proposal, u_int32_t lifetime, + auth_method_t method, int number) { transform_substructure_t *transform; u_int16_t alg, key_size; @@ -822,23 +858,15 @@ static void set_from_proposal_v1_ike(private_proposal_substructure_t *this, } enumerator->destroy(enumerator); - /* TODO-IKEv1: Add lifetime, non-fixed auth-method and other attributes */ - if(1) /* TODO-IKEv1: Change to 0 if XAUTH is desired. */ - { transform->add_transform_attribute(transform, transform_attribute_create_value(TRANSFORM_ATTRIBUTE_V1, - TATTR_PH1_AUTH_METHOD, IKEV1_AUTH_PSK)); - }else{ - transform->add_transform_attribute(transform, - transform_attribute_create_value(TRANSFORM_ATTRIBUTE_V1, - TATTR_PH1_AUTH_METHOD, IKEV1_AUTH_XAUTH_INIT_PSK)); - } + TATTR_PH1_AUTH_METHOD, get_ikev1_auth(method))); transform->add_transform_attribute(transform, transform_attribute_create_value(TRANSFORM_ATTRIBUTE_V1, TATTR_PH1_LIFE_TYPE, IKEV1_LIFE_TYPE_SECONDS)); transform->add_transform_attribute(transform, transform_attribute_create_value(TRANSFORM_ATTRIBUTE_V1, - TATTR_PH1_LIFE_DURATION, 10800)); + TATTR_PH1_LIFE_DURATION, lifetime)); add_transform_substructure(this, transform); } @@ -847,7 +875,8 @@ static void set_from_proposal_v1_ike(private_proposal_substructure_t *this, * Add an IKEv1 ESP proposal to the substructure */ static void set_from_proposal_v1_esp(private_proposal_substructure_t *this, - proposal_t *proposal, int number) + proposal_t *proposal, u_int32_t lifetime, u_int64_t lifebytes, + ipsec_mode_t mode, bool udp, int number) { transform_substructure_t *transform = NULL; u_int16_t alg, key_size; @@ -884,16 +913,27 @@ static void set_from_proposal_v1_esp(private_proposal_substructure_t *this, } enumerator->destroy(enumerator); - /* TODO-IKEv1: Add lifetime and other attributes, ESN */ - transform->add_transform_attribute(transform, - transform_attribute_create_value(TRANSFORM_ATTRIBUTE_V1, - TATTR_PH2_ENCAP_MODE, IKEV1_ENCAP_TUNNEL)); transform->add_transform_attribute(transform, transform_attribute_create_value(TRANSFORM_ATTRIBUTE_V1, + TATTR_PH2_ENCAP_MODE, get_ikev1_mode(mode, udp))); + if (lifetime) + { + transform->add_transform_attribute(transform, + transform_attribute_create_value(TRANSFORM_ATTRIBUTE_V1, TATTR_PH2_SA_LIFE_TYPE, IKEV1_LIFE_TYPE_SECONDS)); - transform->add_transform_attribute(transform, - transform_attribute_create_value(TRANSFORM_ATTRIBUTE_V1, - TATTR_PH2_SA_LIFE_DURATION, 3600)); + transform->add_transform_attribute(transform, + transform_attribute_create_value(TRANSFORM_ATTRIBUTE_V1, + TATTR_PH2_SA_LIFE_DURATION, lifetime)); + } + else if (lifebytes) + { + transform->add_transform_attribute(transform, + transform_attribute_create_value(TRANSFORM_ATTRIBUTE_V1, + TATTR_PH2_SA_LIFE_TYPE, IKEV1_LIFE_TYPE_KILOBYTES)); + transform->add_transform_attribute(transform, + transform_attribute_create_value(TRANSFORM_ATTRIBUTE_V1, + TATTR_PH2_SA_LIFE_DURATION, lifebytes / 1000)); + } add_transform_substructure(this, transform); } @@ -965,36 +1005,14 @@ static void set_from_proposal_v2(private_proposal_substructure_t *this, enumerator->destroy(enumerator); } -/* - * Described in header. +/** + * Set SPI and other data from proposal, compute length */ -proposal_substructure_t *proposal_substructure_create_from_proposal( - payload_type_t type, proposal_t *proposal) +static void set_data(private_proposal_substructure_t *this, proposal_t *proposal) { - private_proposal_substructure_t *this; u_int64_t spi64; u_int32_t spi32; - this = (private_proposal_substructure_t*)proposal_substructure_create(type); - - if (type == PROPOSAL_SUBSTRUCTURE) - { - set_from_proposal_v2(this, proposal); - } - else - { - switch (proposal->get_protocol(proposal)) - { - case PROTO_IKE: - set_from_proposal_v1_ike(this, proposal, 0); - break; - case PROTO_ESP: - set_from_proposal_v1_esp(this, proposal, 0); - break; - default: - break; - } - } /* add SPI, if necessary */ switch (proposal->get_protocol(proposal)) { @@ -1018,6 +1036,48 @@ proposal_substructure_t *proposal_substructure_create_from_proposal( this->proposal_number = proposal->get_number(proposal); this->protocol_id = proposal->get_protocol(proposal); compute_length(this); +} + +/* + * Described in header. + */ +proposal_substructure_t *proposal_substructure_create_from_proposal_v2( + proposal_t *proposal) +{ + private_proposal_substructure_t *this; + + this = (private_proposal_substructure_t*) + proposal_substructure_create(SECURITY_ASSOCIATION); + set_from_proposal_v2(this, proposal); + set_data(this, proposal); + + return &this->public; +} + +/** + * See header. + */ +proposal_substructure_t *proposal_substructure_create_from_proposal_v1( + proposal_t *proposal, u_int32_t lifetime, u_int64_t lifebytes, + auth_method_t auth, ipsec_mode_t mode, bool udp) +{ + private_proposal_substructure_t *this; + + this = (private_proposal_substructure_t*) + proposal_substructure_create(PROPOSAL_SUBSTRUCTURE_V1); + switch (proposal->get_protocol(proposal)) + { + case PROTO_IKE: + set_from_proposal_v1_ike(this, proposal, lifetime, auth, 0); + break; + case PROTO_ESP: + set_from_proposal_v1_esp(this, proposal, lifetime, + lifebytes, mode, udp, 0); + break; + default: + break; + } + set_data(this, proposal); return &this->public; } @@ -1025,8 +1085,9 @@ proposal_substructure_t *proposal_substructure_create_from_proposal( /** * See header. */ -proposal_substructure_t *proposal_substructure_create_from_proposals( - linked_list_t *proposals) +proposal_substructure_t *proposal_substructure_create_from_proposals_v1( + linked_list_t *proposals, u_int32_t lifetime, u_int64_t lifebytes, + auth_method_t auth, ipsec_mode_t mode, bool udp) { private_proposal_substructure_t *this = NULL; enumerator_t *enumerator; @@ -1039,18 +1100,20 @@ proposal_substructure_t *proposal_substructure_create_from_proposals( if (!this) { this = (private_proposal_substructure_t*) - proposal_substructure_create_from_proposal( - PROPOSAL_SUBSTRUCTURE_V1, proposal); + proposal_substructure_create_from_proposal_v1( + proposal, lifetime, lifebytes, auth, mode, udp); } else { switch (proposal->get_protocol(proposal)) { case PROTO_IKE: - set_from_proposal_v1_ike(this, proposal, ++number); + set_from_proposal_v1_ike(this, proposal, lifetime, + auth, ++number); break; case PROTO_ESP: - set_from_proposal_v1_esp(this, proposal, ++number); + set_from_proposal_v1_esp(this, proposal, lifetime, + lifebytes, mode, udp, ++number); break; default: break; -- cgit v1.2.3 From 914ec2dbf29ea70a397418860fb304196131d845 Mon Sep 17 00:00:00 2001 From: Martin Willi Date: Thu, 24 Nov 2011 15:25:22 +0100 Subject: Implemented IKEv1 attribute encoding in SA payload --- .../encoding/payloads/proposal_substructure.c | 155 +++++++++++++++++++++ 1 file changed, 155 insertions(+) (limited to 'src/libcharon/encoding/payloads/proposal_substructure.c') diff --git a/src/libcharon/encoding/payloads/proposal_substructure.c b/src/libcharon/encoding/payloads/proposal_substructure.c index 11d684f5e..ca19ba700 100644 --- a/src/libcharon/encoding/payloads/proposal_substructure.c +++ b/src/libcharon/encoding/payloads/proposal_substructure.c @@ -754,6 +754,157 @@ METHOD(proposal_substructure_t, create_substructure_enumerator, enumerator_t*, return this->transforms->create_enumerator(this->transforms); } +/** + * Get an attribute from a selected transform + */ +static u_int64_t get_attr_tfrm(transform_substructure_t *transform, + transform_attribute_type_t type) +{ + enumerator_t *enumerator; + transform_attribute_t *attr; + u_int64_t value = 0; + + enumerator = transform->create_attribute_enumerator(transform); + while (enumerator->enumerate(enumerator, &attr)) + { + if (attr->get_attribute_type(attr) == type) + { + value = attr->get_value(attr); + break; + } + } + enumerator->destroy(enumerator); + return value; +} + + +/** + * Get an attribute from any transform, 0 if not found + */ +static u_int64_t get_attr(private_proposal_substructure_t *this, + transform_attribute_type_t type, transform_substructure_t **sel) +{ + transform_substructure_t *transform; + enumerator_t *enumerator; + u_int64_t value = 0; + + enumerator = this->transforms->create_enumerator(this->transforms); + while (enumerator->enumerate(enumerator, &transform)) + { + value = get_attr_tfrm(transform, type); + if (value) + { + if (sel) + { + *sel = transform; + } + break; + } + } + enumerator->destroy(enumerator); + return value; +} + +METHOD(proposal_substructure_t, get_lifetime, u_int32_t, + private_proposal_substructure_t *this) +{ + transform_substructure_t *transform; + transform_attribute_type_t type; + + switch (this->protocol_id) + { + case PROTO_IKE: + type = get_attr(this, TATTR_PH1_LIFE_TYPE, &transform); + if (type == IKEV1_LIFE_TYPE_SECONDS) + { + return get_attr_tfrm(transform, TATTR_PH1_LIFE_DURATION); + } + break; + case PROTO_ESP: + type = get_attr(this, TATTR_PH2_SA_LIFE_TYPE, &transform); + if (type == IKEV1_LIFE_TYPE_SECONDS) + { + return get_attr_tfrm(transform, TATTR_PH2_SA_LIFE_DURATION); + } + else if (type != IKEV1_LIFE_TYPE_KILOBYTES) + { /* default to 8 hours, RFC 2407 */ + return 28800; + } + break; + default: + break; + } + return 0; +} + +METHOD(proposal_substructure_t, get_lifebytes, u_int64_t, + private_proposal_substructure_t *this) +{ + transform_substructure_t *transform; + transform_attribute_type_t type; + + switch (this->protocol_id) + { + case PROTO_IKE: + type = get_attr(this, TATTR_PH1_LIFE_TYPE, &transform); + if (type == IKEV1_LIFE_TYPE_KILOBYTES) + { + return get_attr_tfrm(transform, TATTR_PH1_LIFE_DURATION); + } + break; + case PROTO_ESP: + type = get_attr(this, TATTR_PH2_SA_LIFE_TYPE, &transform); + if (type == IKEV1_LIFE_TYPE_KILOBYTES) + { + return get_attr_tfrm(transform, TATTR_PH1_LIFE_DURATION); + } + break; + default: + break; + } + return 0; + +} + +METHOD(proposal_substructure_t, get_auth_method, auth_method_t, + private_proposal_substructure_t *this) +{ + switch (get_attr(this, TATTR_PH1_AUTH_METHOD, NULL)) + { + case IKEV1_AUTH_PSK: + return AUTH_PSK; + case IKEV1_AUTH_RSA_SIG: + return AUTH_RSA; + case IKEV1_AUTH_DSS_SIG: + return AUTH_DSS; + default: + /* TODO-IKEv1: XAUTH, ECDSA sigs */ + return AUTH_NONE; + } +} + +METHOD(proposal_substructure_t, get_encap_mode, ipsec_mode_t, + private_proposal_substructure_t *this, bool *udp) +{ + *udp = FALSE; + switch (get_attr(this, TATTR_PH2_ENCAP_MODE, NULL)) + { + case IKEV1_ENCAP_TRANSPORT: + return MODE_TRANSPORT; + case IKEV1_ENCAP_TUNNEL: + return MODE_TRANSPORT; + case IKEV1_ENCAP_UDP_TRANSPORT: + *udp = TRUE; + return MODE_TRANSPORT; + case IKEV1_ENCAP_UDP_TUNNEL: + *udp = TRUE; + return MODE_TUNNEL; + default: + /* default to TUNNEL, RFC 2407 says implementation specific */ + return MODE_TUNNEL; + } +} + METHOD2(payload_t, proposal_substructure_t, destroy, void, private_proposal_substructure_t *this) { @@ -791,6 +942,10 @@ proposal_substructure_t *proposal_substructure_create(payload_type_t type) .create_substructure_enumerator = _create_substructure_enumerator, .set_spi = _set_spi, .get_spi = _get_spi, + .get_lifetime = _get_lifetime, + .get_lifebytes = _get_lifebytes, + .get_auth_method = _get_auth_method, + .get_encap_mode = _get_encap_mode, .destroy = _destroy, }, .next_payload = NO_PAYLOAD, -- cgit v1.2.3 From b4e815354c5b225e718dca4beb59656fdac98875 Mon Sep 17 00:00:00 2001 From: Martin Willi Date: Thu, 24 Nov 2011 16:07:13 +0100 Subject: Map auth_class to auth method and IKEv1 proposal attribute --- src/libcharon/encoding/payloads/proposal_substructure.c | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) (limited to 'src/libcharon/encoding/payloads/proposal_substructure.c') diff --git a/src/libcharon/encoding/payloads/proposal_substructure.c b/src/libcharon/encoding/payloads/proposal_substructure.c index ca19ba700..7f075f103 100644 --- a/src/libcharon/encoding/payloads/proposal_substructure.c +++ b/src/libcharon/encoding/payloads/proposal_substructure.c @@ -583,8 +583,12 @@ static u_int16_t get_ikev1_auth(auth_method_t method) return IKEV1_AUTH_RSA_SIG; case AUTH_DSS: return IKEV1_AUTH_DSS_SIG; + case AUTH_XAUTH_INIT_PSK: + return IKEV1_AUTH_XAUTH_INIT_PSK; + case AUTH_XAUTH_INIT_RSA: + return IKEV1_AUTH_XAUTH_INIT_RSA; default: - /* TODO-IKEv1: Handle XAUTH methods */ + /* TODO-IKEv1: Handle other XAUTH methods */ /* TODO-IKEv1: Handle ECDSA methods */ case AUTH_PSK: return IKEV1_AUTH_PSK; @@ -877,8 +881,12 @@ METHOD(proposal_substructure_t, get_auth_method, auth_method_t, return AUTH_RSA; case IKEV1_AUTH_DSS_SIG: return AUTH_DSS; + case IKEV1_AUTH_XAUTH_INIT_PSK: + return AUTH_XAUTH_INIT_PSK; + case IKEV1_AUTH_XAUTH_INIT_RSA: + return AUTH_XAUTH_INIT_RSA; default: - /* TODO-IKEv1: XAUTH, ECDSA sigs */ + /* TODO-IKEv1: other XAUTH, ECDSA sigs */ return AUTH_NONE; } } -- cgit v1.2.3 From fd24c700fb280d56483d239af6448d5d433e2400 Mon Sep 17 00:00:00 2001 From: Tobias Brunner Date: Fri, 25 Nov 2011 11:25:45 +0100 Subject: Use proper enum types in proposal_substructure. --- src/libcharon/encoding/payloads/proposal_substructure.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'src/libcharon/encoding/payloads/proposal_substructure.c') diff --git a/src/libcharon/encoding/payloads/proposal_substructure.c b/src/libcharon/encoding/payloads/proposal_substructure.c index 7f075f103..f758d1fbe 100644 --- a/src/libcharon/encoding/payloads/proposal_substructure.c +++ b/src/libcharon/encoding/payloads/proposal_substructure.c @@ -813,7 +813,7 @@ METHOD(proposal_substructure_t, get_lifetime, u_int32_t, private_proposal_substructure_t *this) { transform_substructure_t *transform; - transform_attribute_type_t type; + ikev1_life_type_t type; switch (this->protocol_id) { @@ -845,7 +845,7 @@ METHOD(proposal_substructure_t, get_lifebytes, u_int64_t, private_proposal_substructure_t *this) { transform_substructure_t *transform; - transform_attribute_type_t type; + ikev1_life_type_t type; switch (this->protocol_id) { -- cgit v1.2.3 From e102f86e88e6c2b2e689f8fbb39ec81c6212d32a Mon Sep 17 00:00:00 2001 From: Clavister OpenSource Date: Mon, 5 Dec 2011 13:44:22 +0100 Subject: Setting transform number in esp proposal. iPhone (racoon) fails quick mode when transform number is 0 --- src/libcharon/encoding/payloads/proposal_substructure.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) mode change 100644 => 100755 src/libcharon/encoding/payloads/proposal_substructure.c (limited to 'src/libcharon/encoding/payloads/proposal_substructure.c') diff --git a/src/libcharon/encoding/payloads/proposal_substructure.c b/src/libcharon/encoding/payloads/proposal_substructure.c old mode 100644 new mode 100755 index f758d1fbe..ca36206cb --- a/src/libcharon/encoding/payloads/proposal_substructure.c +++ b/src/libcharon/encoding/payloads/proposal_substructure.c @@ -1235,7 +1235,7 @@ proposal_substructure_t *proposal_substructure_create_from_proposal_v1( break; case PROTO_ESP: set_from_proposal_v1_esp(this, proposal, lifetime, - lifebytes, mode, udp, 0); + lifebytes, mode, udp, proposal->get_number(proposal)); break; default: break; -- cgit v1.2.3 From 9bb4de1d83babe724d846ca5442cdc12da065f77 Mon Sep 17 00:00:00 2001 From: Martin Willi Date: Wed, 7 Dec 2011 17:41:16 +0100 Subject: En- and decode DH group attribute in quick mode SA payloads --- src/libcharon/encoding/payloads/proposal_substructure.c | 13 +++++++++++++ 1 file changed, 13 insertions(+) (limited to 'src/libcharon/encoding/payloads/proposal_substructure.c') diff --git a/src/libcharon/encoding/payloads/proposal_substructure.c b/src/libcharon/encoding/payloads/proposal_substructure.c index ca36206cb..d5778fab3 100755 --- a/src/libcharon/encoding/payloads/proposal_substructure.c +++ b/src/libcharon/encoding/payloads/proposal_substructure.c @@ -684,6 +684,10 @@ static void add_to_proposal_v1_esp(proposal_t *proposal, proposal->add_algorithm(proposal, INTEGRITY_ALGORITHM, get_alg_from_ikev1(INTEGRITY_ALGORITHM, value), 0); break; + case TATTR_PH2_GROUP: + proposal->add_algorithm(proposal, DIFFIE_HELLMAN_GROUP, + value, 0); + break; default: /* TODO-IKEv1: lifetimes other attributes */ break; @@ -1076,6 +1080,15 @@ static void set_from_proposal_v1_esp(private_proposal_substructure_t *this, } enumerator->destroy(enumerator); + enumerator = proposal->create_enumerator(proposal, DIFFIE_HELLMAN_GROUP); + if (enumerator->enumerate(enumerator, &alg, &key_size)) + { + transform->add_transform_attribute(transform, + transform_attribute_create_value(TRANSFORM_ATTRIBUTE_V1, + TATTR_PH2_GROUP, alg)); + } + enumerator->destroy(enumerator); + transform->add_transform_attribute(transform, transform_attribute_create_value(TRANSFORM_ATTRIBUTE_V1, TATTR_PH2_ENCAP_MODE, get_ikev1_mode(mode, udp))); -- cgit v1.2.3 From 51da01a7220933cd2da0041f6dafb2dc13684b5d Mon Sep 17 00:00:00 2001 From: Martin Willi Date: Wed, 14 Dec 2011 09:43:44 +0100 Subject: Support encoding of Hybrid initiator authentication method --- src/libcharon/encoding/payloads/proposal_substructure.c | 9 +++++++++ 1 file changed, 9 insertions(+) (limited to 'src/libcharon/encoding/payloads/proposal_substructure.c') diff --git a/src/libcharon/encoding/payloads/proposal_substructure.c b/src/libcharon/encoding/payloads/proposal_substructure.c index d5778fab3..57b948145 100755 --- a/src/libcharon/encoding/payloads/proposal_substructure.c +++ b/src/libcharon/encoding/payloads/proposal_substructure.c @@ -247,6 +247,11 @@ typedef enum { IKEV1_AUTH_XAUTH_RESP_RSA_ENC = 65008, IKEV1_AUTH_XAUTH_INIT_RSA_ENC_REV = 65009, IKEV1_AUTH_XAUTH_RESP_RSA_ENC_REV = 65010, + IKEV1_AUTH_HYBRID_INIT_RSA = 64221, + IKEV1_AUTH_HYBRID_RESP_RSA = 64222, + IKEV1_AUTH_HYBRID_INIT_DSS = 64223, + IKEV1_AUTH_HYBRID_RESP_DSS = 64224, + } ikev1_auth_method_t; METHOD(payload_t, verify, status_t, @@ -587,6 +592,8 @@ static u_int16_t get_ikev1_auth(auth_method_t method) return IKEV1_AUTH_XAUTH_INIT_PSK; case AUTH_XAUTH_INIT_RSA: return IKEV1_AUTH_XAUTH_INIT_RSA; + case AUTH_HYBRID_INIT_RSA: + return IKEV1_AUTH_HYBRID_INIT_RSA; default: /* TODO-IKEv1: Handle other XAUTH methods */ /* TODO-IKEv1: Handle ECDSA methods */ @@ -889,6 +896,8 @@ METHOD(proposal_substructure_t, get_auth_method, auth_method_t, return AUTH_XAUTH_INIT_PSK; case IKEV1_AUTH_XAUTH_INIT_RSA: return AUTH_XAUTH_INIT_RSA; + case IKEV1_AUTH_HYBRID_INIT_RSA: + return AUTH_HYBRID_INIT_RSA; default: /* TODO-IKEv1: other XAUTH, ECDSA sigs */ return AUTH_NONE; -- cgit v1.2.3 From 3ba15819edb44d00f5c9f8ad06ea7e78a48515c4 Mon Sep 17 00:00:00 2001 From: Martin Willi Date: Wed, 14 Dec 2011 16:46:29 +0100 Subject: Remove executable flag from source code files --- src/libcharon/encoding/payloads/proposal_substructure.c | 0 1 file changed, 0 insertions(+), 0 deletions(-) mode change 100755 => 100644 src/libcharon/encoding/payloads/proposal_substructure.c (limited to 'src/libcharon/encoding/payloads/proposal_substructure.c') diff --git a/src/libcharon/encoding/payloads/proposal_substructure.c b/src/libcharon/encoding/payloads/proposal_substructure.c old mode 100755 new mode 100644 -- cgit v1.2.3 From 26b02f50f4fb53195ccfa4830abf30ae763b9183 Mon Sep 17 00:00:00 2001 From: Martin Willi Date: Mon, 19 Dec 2011 10:12:52 +0100 Subject: Always use a transform number of 1 when encoding a single transform --- src/libcharon/encoding/payloads/proposal_substructure.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'src/libcharon/encoding/payloads/proposal_substructure.c') diff --git a/src/libcharon/encoding/payloads/proposal_substructure.c b/src/libcharon/encoding/payloads/proposal_substructure.c index 57b948145..77a4fe434 100644 --- a/src/libcharon/encoding/payloads/proposal_substructure.c +++ b/src/libcharon/encoding/payloads/proposal_substructure.c @@ -1243,7 +1243,7 @@ proposal_substructure_t *proposal_substructure_create_from_proposal_v2( * See header. */ proposal_substructure_t *proposal_substructure_create_from_proposal_v1( - proposal_t *proposal, u_int32_t lifetime, u_int64_t lifebytes, + proposal_t *proposal, u_int32_t lifetime, u_int64_t lifebytes, auth_method_t auth, ipsec_mode_t mode, bool udp) { private_proposal_substructure_t *this; @@ -1253,11 +1253,11 @@ proposal_substructure_t *proposal_substructure_create_from_proposal_v1( switch (proposal->get_protocol(proposal)) { case PROTO_IKE: - set_from_proposal_v1_ike(this, proposal, lifetime, auth, 0); + set_from_proposal_v1_ike(this, proposal, lifetime, auth, 1); break; case PROTO_ESP: set_from_proposal_v1_esp(this, proposal, lifetime, - lifebytes, mode, udp, proposal->get_number(proposal)); + lifebytes, mode, udp, 1); break; default: break; -- cgit v1.2.3 From 927c1dd9d2d7f932c40b890e275184d007c6743d Mon Sep 17 00:00:00 2001 From: Martin Willi Date: Wed, 4 Jan 2012 14:43:15 +0100 Subject: Support IKEv1 proposal encodings having both lifebytes and a lifetime --- .../encoding/payloads/proposal_substructure.c | 125 ++++++++++----------- 1 file changed, 58 insertions(+), 67 deletions(-) (limited to 'src/libcharon/encoding/payloads/proposal_substructure.c') diff --git a/src/libcharon/encoding/payloads/proposal_substructure.c b/src/libcharon/encoding/payloads/proposal_substructure.c index 77a4fe434..ba7ef9961 100644 --- a/src/libcharon/encoding/payloads/proposal_substructure.c +++ b/src/libcharon/encoding/payloads/proposal_substructure.c @@ -770,121 +770,112 @@ METHOD(proposal_substructure_t, create_substructure_enumerator, enumerator_t*, } /** - * Get an attribute from a selected transform + * Get an attribute from any transform, 0 if not found */ -static u_int64_t get_attr_tfrm(transform_substructure_t *transform, - transform_attribute_type_t type) +static u_int64_t get_attr(private_proposal_substructure_t *this, + transform_attribute_type_t type) { - enumerator_t *enumerator; + enumerator_t *transforms, *attributes; + transform_substructure_t *transform; transform_attribute_t *attr; - u_int64_t value = 0; - enumerator = transform->create_attribute_enumerator(transform); - while (enumerator->enumerate(enumerator, &attr)) + transforms = this->transforms->create_enumerator(this->transforms); + while (transforms->enumerate(transforms, &transform)) { - if (attr->get_attribute_type(attr) == type) + attributes = transform->create_attribute_enumerator(transform); + while (attributes->enumerate(attributes, &attr)) { - value = attr->get_value(attr); - break; + if (attr->get_attribute_type(attr) == type) + { + attributes->destroy(attributes); + transforms->destroy(transforms); + return attr->get_value(attr); + } } + attributes->destroy(attributes); } - enumerator->destroy(enumerator); - return value; + transforms->destroy(transforms); + return 0; } - /** - * Get an attribute from any transform, 0 if not found + * Look up a lifetime duration of a given kind in all transforms */ -static u_int64_t get_attr(private_proposal_substructure_t *this, - transform_attribute_type_t type, transform_substructure_t **sel) +static u_int64_t get_life_duration(private_proposal_substructure_t *this, + transform_attribute_type_t type_attr, ikev1_life_type_t type, + transform_attribute_type_t dur_attr) { + enumerator_t *transforms, *attributes; transform_substructure_t *transform; - enumerator_t *enumerator; - u_int64_t value = 0; + transform_attribute_t *attr; - enumerator = this->transforms->create_enumerator(this->transforms); - while (enumerator->enumerate(enumerator, &transform)) + transforms = this->transforms->create_enumerator(this->transforms); + while (transforms->enumerate(transforms, &transform)) { - value = get_attr_tfrm(transform, type); - if (value) + attributes = transform->create_attribute_enumerator(transform); + while (attributes->enumerate(attributes, &attr)) { - if (sel) - { - *sel = transform; + if (attr->get_attribute_type(attr) == type_attr && + attr->get_value(attr) == type) + { /* got type attribute, look for duration following next */ + while (attributes->enumerate(attributes, &attr)) + { + if (attr->get_attribute_type(attr) == dur_attr) + { + attributes->destroy(attributes); + transforms->destroy(transforms); + return attr->get_value(attr); + } + } } - break; } + attributes->destroy(attributes); } - enumerator->destroy(enumerator); - return value; + transforms->destroy(transforms); + return 0; } METHOD(proposal_substructure_t, get_lifetime, u_int32_t, private_proposal_substructure_t *this) { - transform_substructure_t *transform; - ikev1_life_type_t type; + u_int32_t duration; switch (this->protocol_id) { case PROTO_IKE: - type = get_attr(this, TATTR_PH1_LIFE_TYPE, &transform); - if (type == IKEV1_LIFE_TYPE_SECONDS) - { - return get_attr_tfrm(transform, TATTR_PH1_LIFE_DURATION); - } - break; + return get_life_duration(this, TATTR_PH1_LIFE_TYPE, + IKEV1_LIFE_TYPE_SECONDS, TATTR_PH1_LIFE_DURATION); case PROTO_ESP: - type = get_attr(this, TATTR_PH2_SA_LIFE_TYPE, &transform); - if (type == IKEV1_LIFE_TYPE_SECONDS) - { - return get_attr_tfrm(transform, TATTR_PH2_SA_LIFE_DURATION); - } - else if (type != IKEV1_LIFE_TYPE_KILOBYTES) + duration = get_life_duration(this, TATTR_PH2_SA_LIFE_TYPE, + IKEV1_LIFE_TYPE_SECONDS, TATTR_PH2_SA_LIFE_DURATION); + if (!duration) { /* default to 8 hours, RFC 2407 */ return 28800; } - break; + return duration; default: - break; + return 0; } - return 0; } METHOD(proposal_substructure_t, get_lifebytes, u_int64_t, private_proposal_substructure_t *this) { - transform_substructure_t *transform; - ikev1_life_type_t type; - switch (this->protocol_id) { - case PROTO_IKE: - type = get_attr(this, TATTR_PH1_LIFE_TYPE, &transform); - if (type == IKEV1_LIFE_TYPE_KILOBYTES) - { - return get_attr_tfrm(transform, TATTR_PH1_LIFE_DURATION); - } - break; case PROTO_ESP: - type = get_attr(this, TATTR_PH2_SA_LIFE_TYPE, &transform); - if (type == IKEV1_LIFE_TYPE_KILOBYTES) - { - return get_attr_tfrm(transform, TATTR_PH1_LIFE_DURATION); - } - break; + return 1000 * get_life_duration(this, TATTR_PH2_SA_LIFE_TYPE, + IKEV1_LIFE_TYPE_KILOBYTES, TATTR_PH2_SA_LIFE_DURATION); + case PROTO_IKE: default: - break; + return 0; } - return 0; - } METHOD(proposal_substructure_t, get_auth_method, auth_method_t, private_proposal_substructure_t *this) { - switch (get_attr(this, TATTR_PH1_AUTH_METHOD, NULL)) + switch (get_attr(this, TATTR_PH1_AUTH_METHOD)) { case IKEV1_AUTH_PSK: return AUTH_PSK; @@ -908,7 +899,7 @@ METHOD(proposal_substructure_t, get_encap_mode, ipsec_mode_t, private_proposal_substructure_t *this, bool *udp) { *udp = FALSE; - switch (get_attr(this, TATTR_PH2_ENCAP_MODE, NULL)) + switch (get_attr(this, TATTR_PH2_ENCAP_MODE)) { case IKEV1_ENCAP_TRANSPORT: return MODE_TRANSPORT; @@ -1110,7 +1101,7 @@ static void set_from_proposal_v1_esp(private_proposal_substructure_t *this, transform_attribute_create_value(TRANSFORM_ATTRIBUTE_V1, TATTR_PH2_SA_LIFE_DURATION, lifetime)); } - else if (lifebytes) + if (lifebytes) { transform->add_transform_attribute(transform, transform_attribute_create_value(TRANSFORM_ATTRIBUTE_V1, -- cgit v1.2.3 From 6261c0c3b7a79ff3ac2492af878d8fb5d681b4dc Mon Sep 17 00:00:00 2001 From: Martin Willi Date: Mon, 23 Jan 2012 12:25:00 +0100 Subject: Support encoding of IKEv1 ECDSA proposals --- .../encoding/payloads/proposal_substructure.c | 22 ++++++++++++++++------ 1 file changed, 16 insertions(+), 6 deletions(-) (limited to 'src/libcharon/encoding/payloads/proposal_substructure.c') diff --git a/src/libcharon/encoding/payloads/proposal_substructure.c b/src/libcharon/encoding/payloads/proposal_substructure.c index ba7ef9961..b761b86f6 100644 --- a/src/libcharon/encoding/payloads/proposal_substructure.c +++ b/src/libcharon/encoding/payloads/proposal_substructure.c @@ -237,6 +237,9 @@ typedef enum { IKEV1_AUTH_RSA_SIG = 3, IKEV1_AUTH_RSA_ENC = 4, IKEV1_AUTH_RSA_ENC_REV = 5, + IKEV1_AUTH_ECDSA_256 = 9, + IKEV1_AUTH_ECDSA_384 = 10, + IKEV1_AUTH_ECDSA_521 = 11, IKEV1_AUTH_XAUTH_INIT_PSK = 65001, IKEV1_AUTH_XAUTH_RESP_PSK = 65002, IKEV1_AUTH_XAUTH_INIT_DSS = 65003, @@ -594,10 +597,14 @@ static u_int16_t get_ikev1_auth(auth_method_t method) return IKEV1_AUTH_XAUTH_INIT_RSA; case AUTH_HYBRID_INIT_RSA: return IKEV1_AUTH_HYBRID_INIT_RSA; - default: - /* TODO-IKEv1: Handle other XAUTH methods */ - /* TODO-IKEv1: Handle ECDSA methods */ + case AUTH_ECDSA_256: + return IKEV1_AUTH_ECDSA_256; + case AUTH_ECDSA_384: + return IKEV1_AUTH_ECDSA_384; + case AUTH_ECDSA_521: + return IKEV1_AUTH_ECDSA_521; case AUTH_PSK: + default: return IKEV1_AUTH_PSK; } } @@ -654,7 +661,6 @@ static void add_to_proposal_v1_ike(proposal_t *proposal, value, 0); break; default: - /* TODO-IKEv1: lifetimes, authentication and other attributes */ break; } } @@ -696,7 +702,6 @@ static void add_to_proposal_v1_esp(proposal_t *proposal, value, 0); break; default: - /* TODO-IKEv1: lifetimes other attributes */ break; } } @@ -889,8 +894,13 @@ METHOD(proposal_substructure_t, get_auth_method, auth_method_t, return AUTH_XAUTH_INIT_RSA; case IKEV1_AUTH_HYBRID_INIT_RSA: return AUTH_HYBRID_INIT_RSA; + case IKEV1_AUTH_ECDSA_256: + return AUTH_ECDSA_256; + case IKEV1_AUTH_ECDSA_384: + return AUTH_ECDSA_384; + case IKEV1_AUTH_ECDSA_521: + return AUTH_ECDSA_521; default: - /* TODO-IKEv1: other XAUTH, ECDSA sigs */ return AUTH_NONE; } } -- cgit v1.2.3 From 5ed4b727d0fb28d3dc508e2149aeee602efe9db1 Mon Sep 17 00:00:00 2001 From: Martin Willi Date: Tue, 24 Jan 2012 13:31:37 +0100 Subject: Fix mapping of IKEv1 encapsulation mode --- src/libcharon/encoding/payloads/proposal_substructure.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'src/libcharon/encoding/payloads/proposal_substructure.c') diff --git a/src/libcharon/encoding/payloads/proposal_substructure.c b/src/libcharon/encoding/payloads/proposal_substructure.c index b761b86f6..d95f6dfca 100644 --- a/src/libcharon/encoding/payloads/proposal_substructure.c +++ b/src/libcharon/encoding/payloads/proposal_substructure.c @@ -914,7 +914,7 @@ METHOD(proposal_substructure_t, get_encap_mode, ipsec_mode_t, case IKEV1_ENCAP_TRANSPORT: return MODE_TRANSPORT; case IKEV1_ENCAP_TUNNEL: - return MODE_TRANSPORT; + return MODE_TUNNEL; case IKEV1_ENCAP_UDP_TRANSPORT: *udp = TRUE; return MODE_TRANSPORT; -- cgit v1.2.3 From 3a9d5cbc146be02393a142bd3be2d11e0b3f4daf Mon Sep 17 00:00:00 2001 From: Tobias Brunner Date: Fri, 3 Feb 2012 12:56:30 +0100 Subject: Fixed transform numbering in IKEv1 proposal. --- src/libcharon/encoding/payloads/proposal_substructure.c | 1 + 1 file changed, 1 insertion(+) (limited to 'src/libcharon/encoding/payloads/proposal_substructure.c') diff --git a/src/libcharon/encoding/payloads/proposal_substructure.c b/src/libcharon/encoding/payloads/proposal_substructure.c index d95f6dfca..3a113c123 100644 --- a/src/libcharon/encoding/payloads/proposal_substructure.c +++ b/src/libcharon/encoding/payloads/proposal_substructure.c @@ -1288,6 +1288,7 @@ proposal_substructure_t *proposal_substructure_create_from_proposals_v1( this = (private_proposal_substructure_t*) proposal_substructure_create_from_proposal_v1( proposal, lifetime, lifebytes, auth, mode, udp); + ++number; } else { -- cgit v1.2.3