projects / strongswan.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Exchange IKEv1 ESP SA proposal information
[strongswan.git] / src / libcharon / encoding / payloads / proposal_substructure.c
1 /*
2 * Copyright (C) 2005-2010 Martin Willi
3 * Copyright (C) 2005 Jan Hutter
4 * Hochschule fuer Technik Rapperswil
5 *
6 * This program is free software; you can redistribute it and/or modify it
7 * under the terms of the GNU General Public License as published by the
8 * Free Software Foundation; either version 2 of the License, or (at your
9 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
10 *
11 * This program is distributed in the hope that it will be useful, but
12 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
13 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
14 * for more details.
15 */
16
17 #include <stddef.h>
18
19 #include "proposal_substructure.h"
20
21 #include <encoding/payloads/encodings.h>
22 #include <encoding/payloads/transform_substructure.h>
23 #include <library.h>
24 #include <utils/linked_list.h>
25 #include <daemon.h>
26
27 /**
28 * IKEv2 Value for a proposal payload.
29 */
30 #define PROPOSAL_TYPE_VALUE 2
31
32 typedef struct private_proposal_substructure_t private_proposal_substructure_t;
33
34 /**
35 * Private data of an proposal_substructure_t object.
36 */
37 struct private_proposal_substructure_t {
38
39 /**
40 * Public proposal_substructure_t interface.
41 */
42 proposal_substructure_t public;
43
44 /**
45 * Next payload type.
46 */
47 u_int8_t next_payload;
48
49 /**
50 * reserved byte
51 */
52 u_int8_t reserved;
53
54 /**
55 * Length of this payload.
56 */
57 u_int16_t proposal_length;
58
59 /**
60 * Proposal number.
61 */
62 u_int8_t proposal_number;
63
64 /**
65 * Protocol ID.
66 */
67 u_int8_t protocol_id;
68
69 /**
70 * SPI size of the following SPI.
71 */
72 u_int8_t spi_size;
73
74 /**
75 * Number of transforms.
76 */
77 u_int8_t transforms_count;
78
79 /**
80 * SPI is stored as chunk.
81 */
82 chunk_t spi;
83
84 /**
85 * Transforms are stored in a linked_list_t.
86 */
87 linked_list_t *transforms;
88
89 /**
90 * Type of this payload, PROPOSAL_SUBSTRUCTURE or PROPOSAL_SUBSTRUCTURE_V1
91 */
92 payload_type_t type;
93 };
94
95 /**
96 * Encoding rules for a IKEv1 Proposal substructure.
97 */
98 static encoding_rule_t encodings_v1[] = {
99 /* 1 Byte next payload type, stored in the field next_payload */
100 { U_INT_8, offsetof(private_proposal_substructure_t, next_payload) },
101 /* 1 Reserved Byte */
102 { RESERVED_BYTE, offsetof(private_proposal_substructure_t, reserved) },
103 /* Length of the whole proposal substructure payload*/
104 { PAYLOAD_LENGTH, offsetof(private_proposal_substructure_t, proposal_length) },
105 /* proposal number is a number of 8 bit */
106 { U_INT_8, offsetof(private_proposal_substructure_t, proposal_number) },
107 /* protocol ID is a number of 8 bit */
108 { U_INT_8, offsetof(private_proposal_substructure_t, protocol_id) },
109 /* SPI Size has its own type */
110 { SPI_SIZE, offsetof(private_proposal_substructure_t, spi_size) },
111 /* Number of transforms is a number of 8 bit */
112 { U_INT_8, offsetof(private_proposal_substructure_t, transforms_count) },
113 /* SPI is a chunk of variable size*/
114 { SPI, offsetof(private_proposal_substructure_t, spi) },
115 /* Transforms are stored in a transform substructure list */
116 { PAYLOAD_LIST + TRANSFORM_SUBSTRUCTURE_V1,
117 offsetof(private_proposal_substructure_t, transforms) },
118 };
119
120 /**
121 * Encoding rules for a IKEv2 Proposal substructure.
122 */
123 static encoding_rule_t encodings_v2[] = {
124 /* 1 Byte next payload type, stored in the field next_payload */
125 { U_INT_8, offsetof(private_proposal_substructure_t, next_payload) },
126 /* 1 Reserved Byte */
127 { RESERVED_BYTE, offsetof(private_proposal_substructure_t, reserved) },
128 /* Length of the whole proposal substructure payload*/
129 { PAYLOAD_LENGTH, offsetof(private_proposal_substructure_t, proposal_length) },
130 /* proposal number is a number of 8 bit */
131 { U_INT_8, offsetof(private_proposal_substructure_t, proposal_number) },
132 /* protocol ID is a number of 8 bit */
133 { U_INT_8, offsetof(private_proposal_substructure_t, protocol_id) },
134 /* SPI Size has its own type */
135 { SPI_SIZE, offsetof(private_proposal_substructure_t, spi_size) },
136 /* Number of transforms is a number of 8 bit */
137 { U_INT_8, offsetof(private_proposal_substructure_t, transforms_count) },
138 /* SPI is a chunk of variable size*/
139 { SPI, offsetof(private_proposal_substructure_t, spi) },
140 /* Transforms are stored in a transform substructure list */
141 { PAYLOAD_LIST + TRANSFORM_SUBSTRUCTURE,
142 offsetof(private_proposal_substructure_t, transforms) },
143 };
144
145 /*
146 1 2 3
147 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
148 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
149 ! 0 (last) or 2 ! RESERVED ! Proposal Length !
150 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
151 ! Proposal # ! Protocol ID ! SPI Size !# of Transforms!
152 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
153 ~ SPI (variable) ~
154 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
155 ! !
156 ~ <Transforms> ~
157 ! !
158 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
159 */
160
161 /**
162 * Encryption.
163 */
164 typedef enum {
165 IKEV1_ENCR_DES_CBC = 1,
166 IKEV1_ENCR_IDEA_CBC = 2,
167 IKEV1_ENCR_BLOWFISH_CBC = 3,
168 IKEV1_ENCR_RC5_R16_B64_CBC = 4,
169 IKEV1_ENCR_3DES_CBC = 5,
170 IKEV1_ENCR_CAST_CBC = 6,
171 IKEV1_ENCR_AES_CBC = 7,
172 IKEV1_ENCR_CAMELLIA_CBC = 8,
173 IKEV1_ENCR_LAST = 9,
174 } ikev1_encryption_t;
175
176 /**
177 * IKEv1 hash.
178 */
179 typedef enum {
180 IKEV1_HASH_MD5 = 1,
181 IKEV1_HASH_SHA1 = 2,
182 IKEV1_HASH_TIGER = 3,
183 IKEV1_HASH_SHA2_256 = 4,
184 IKEV1_HASH_SHA2_384 = 5,
185 IKEV1_HASH_SHA2_512 = 6,
186 } ikev1_hash_t;
187
188 /**
189 * IKEv1 Transform ID IKE.
190 */
191 typedef enum {
192 IKEV1_TRANSID_KEY_IKE = 1,
193 } ikev1_ike_transid_t;
194
195 /**
196 * IKEv1 Transform ID ESP.
197 */
198 typedef enum {
199 IKEV1_TRANSID_ESP_DES_IV64 = 1,
200 IKEV1_TRANSID_ESP_DES = 2,
201 IKEV1_TRANSID_ESP_3DES = 3,
202 IKEV1_TRANSID_ESP_RC5 = 4,
203 IKEV1_TRANSID_ESP_IDEA = 5,
204 IKEV1_TRANSID_ESP_CAST = 6,
205 IKEV1_TRANSID_ESP_BLOWFISH = 7,
206 IKEV1_TRANSID_ESP_3IDEA = 8,
207 IKEV1_TRANSID_ESP_DES_IV32 = 9,
208 IKEV1_TRANSID_ESP_RC4 = 10,
209 IKEV1_TRANSID_ESP_NULL = 11,
210 IKEV1_TRANSID_ESP_AES_CBC = 12,
211 } ikev1_esp_transid_t;
212
213 /**
214 * IKEv1 ESP Encapsulation mode.
215 */
216 typedef enum {
217 IKEV1_ENCAP_TUNNEL = 1,
218 IKEV1_ENCAP_TRANSPORT = 2,
219 IKEV1_ENCAP_UDP_TUNNEL = 3,
220 IKEV1_ENCAP_UDP_TRANSPORT = 4,
221 } ikev1_esp_encap_t;
222
223 /**
224 * IKEv1 Life duration types.
225 */
226 typedef enum {
227 IKEV1_LIFE_TYPE_SECONDS = 1,
228 IKEV1_LIFE_TYPE_KILOBYTES = 2,
229 } ikev1_life_type_t;
230
231 /**
232 * IKEv1 authenticaiton methods
233 */
234 typedef enum {
235 IKEV1_AUTH_PSK = 1,
236 IKEV1_AUTH_DSS_SIG = 2,
237 IKEV1_AUTH_RSA_SIG = 3,
238 IKEV1_AUTH_RSA_ENC = 4,
239 IKEV1_AUTH_RSA_ENC_REV = 5,
240 IKEV1_AUTH_XAUTH_INIT_PSK = 65001,
241 IKEV1_AUTH_XAUTH_RESP_PSK = 65002,
242 IKEV1_AUTH_XAUTH_INIT_DSS = 65003,
243 IKEV1_AUTH_XAUTH_RESP_DSS = 65004,
244 IKEV1_AUTH_XAUTH_INIT_RSA = 65005,
245 IKEV1_AUTH_XAUTH_RESP_RSA = 65006,
246 IKEV1_AUTH_XAUTH_INIT_RSA_ENC = 65007,
247 IKEV1_AUTH_XAUTH_RESP_RSA_ENC = 65008,
248 IKEV1_AUTH_XAUTH_INIT_RSA_ENC_REV = 65009,
249 IKEV1_AUTH_XAUTH_RESP_RSA_ENC_REV = 65010,
250 } ikev1_auth_method_t;
251
252 METHOD(payload_t, verify, status_t,
253 private_proposal_substructure_t *this)
254 {
255 status_t status = SUCCESS;
256 enumerator_t *enumerator;
257 payload_t *current;
258
259 if (this->next_payload != NO_PAYLOAD && this->next_payload != 2)
260 {
261 /* must be 0 or 2 */
262 DBG1(DBG_ENC, "inconsistent next payload");
263 return FAILED;
264 }
265 if (this->transforms_count != this->transforms->get_count(this->transforms))
266 {
267 /* must be the same! */
268 DBG1(DBG_ENC, "transform count invalid");
269 return FAILED;
270 }
271
272 switch (this->protocol_id)
273 {
274 case PROTO_AH:
275 case PROTO_ESP:
276 if (this->spi.len != 4)
277 {
278 DBG1(DBG_ENC, "invalid SPI length in %N proposal",
279 protocol_id_names, this->protocol_id);
280 return FAILED;
281 }
282 break;
283 case PROTO_IKE:
284 if (this->spi.len != 0 && this->spi.len != 8)
285 {
286 DBG1(DBG_ENC, "invalid SPI length in IKE proposal");
287 return FAILED;
288 }
289 break;
290 default:
291 break;
292 }
293 enumerator = this->transforms->create_enumerator(this->transforms);
294 while (enumerator->enumerate(enumerator, &current))
295 {
296 status = current->verify(current);
297 if (status != SUCCESS)
298 {
299 DBG1(DBG_ENC, "TRANSFORM_SUBSTRUCTURE verification failed");
300 break;
301 }
302 }
303 enumerator->destroy(enumerator);
304
305 /* proposal number is checked in SA payload */
306 return status;
307 }
308
309 METHOD(payload_t, get_encoding_rules, int,
310 private_proposal_substructure_t *this, encoding_rule_t **rules)
311 {
312 if (this->type == PROPOSAL_SUBSTRUCTURE)
313 {
314 *rules = encodings_v2;
315 return countof(encodings_v2);
316 }
317 *rules = encodings_v1;
318 return countof(encodings_v1);
319 }
320
321 METHOD(payload_t, get_header_length, int,
322 private_proposal_substructure_t *this)
323 {
324 return 8 + this->spi_size;
325 }
326
327 METHOD(payload_t, get_type, payload_type_t,
328 private_proposal_substructure_t *this)
329 {
330 return this->type;
331 }
332
333 METHOD(payload_t, get_next_type, payload_type_t,
334 private_proposal_substructure_t *this)
335 {
336 return this->next_payload;
337 }
338
339 METHOD(payload_t, set_next_type, void,
340 private_proposal_substructure_t *this, payload_type_t type)
341 {
342 }
343
344 /**
345 * (re-)compute the length of the payload.
346 */
347 static void compute_length(private_proposal_substructure_t *this)
348 {
349 enumerator_t *enumerator;
350 payload_t *transform;
351
352 this->transforms_count = 0;
353 this->proposal_length = get_header_length(this);
354 enumerator = this->transforms->create_enumerator(this->transforms);
355 while (enumerator->enumerate(enumerator, &transform))
356 {
357 this->proposal_length += transform->get_length(transform);
358 this->transforms_count++;
359 }
360 enumerator->destroy(enumerator);
361 }
362
363 METHOD(payload_t, get_length, size_t,
364 private_proposal_substructure_t *this)
365 {
366 return this->proposal_length;
367 }
368
369 /**
370 * Add a transform substructure to the proposal
371 */
372 static void add_transform_substructure(private_proposal_substructure_t *this,
373 transform_substructure_t *transform)
374 {
375 if (this->transforms->get_count(this->transforms) > 0)
376 {
377 transform_substructure_t *last;
378
379 this->transforms->get_last(this->transforms, (void **)&last);
380 last->set_is_last_transform(last, FALSE);
381 }
382 transform->set_is_last_transform(transform,TRUE);
383 this->transforms->insert_last(this->transforms, transform);
384 compute_length(this);
385 }
386
387 METHOD(proposal_substructure_t, set_is_last_proposal, void,
388 private_proposal_substructure_t *this, bool is_last)
389 {
390 this->next_payload = is_last ? 0 : PROPOSAL_TYPE_VALUE;
391 }
392
393 METHOD(proposal_substructure_t, set_proposal_number, void,
394 private_proposal_substructure_t *this,u_int8_t proposal_number)
395 {
396 this->proposal_number = proposal_number;
397 }
398
399 METHOD(proposal_substructure_t, get_proposal_number, u_int8_t,
400 private_proposal_substructure_t *this)
401 {
402 return this->proposal_number;
403 }
404
405 METHOD(proposal_substructure_t, set_protocol_id, void,
406 private_proposal_substructure_t *this,u_int8_t protocol_id)
407 {
408 this->protocol_id = protocol_id;
409 }
410
411 METHOD(proposal_substructure_t, get_protocol_id, u_int8_t,
412 private_proposal_substructure_t *this)
413 {
414 return this->protocol_id;
415 }
416
417 METHOD(proposal_substructure_t, set_spi, void,
418 private_proposal_substructure_t *this, chunk_t spi)
419 {
420 free(this->spi.ptr);
421 this->spi = chunk_clone(spi);
422 this->spi_size = spi.len;
423 compute_length(this);
424 }
425
426 METHOD(proposal_substructure_t, get_spi, chunk_t,
427 private_proposal_substructure_t *this)
428 {
429 return this->spi;
430 }
431
432 /**
433 * Add a transform to a proposal for IKEv2
434 */
435 static void add_to_proposal_v2(proposal_t *proposal,
436 transform_substructure_t *transform)
437 {
438 transform_attribute_t *tattr;
439 enumerator_t *enumerator;
440 u_int16_t key_length = 0;
441
442 enumerator = transform->create_attribute_enumerator(transform);
443 while (enumerator->enumerate(enumerator, &tattr))
444 {
445 if (tattr->get_attribute_type(tattr) == TATTR_IKEV2_KEY_LENGTH)
446 {
447 key_length = tattr->get_value(tattr);
448 break;
449 }
450 }
451 enumerator->destroy(enumerator);
452
453 proposal->add_algorithm(proposal,
454 transform->get_transform_type_or_number(transform),
455 transform->get_transform_id(transform), key_length);
456 }
457
458 /**
459 * Map IKEv1 to IKEv2 algorithms
460 */
461 typedef struct {
462 u_int16_t ikev1;
463 u_int16_t ikev2;
464 } algo_map_t;
465
466 /**
467 * Encryption algorithm mapping
468 */
469 static algo_map_t map_encr[] = {
470 { IKEV1_ENCR_DES_CBC, ENCR_DES },
471 { IKEV1_ENCR_IDEA_CBC, ENCR_IDEA },
472 { IKEV1_ENCR_BLOWFISH_CBC, ENCR_BLOWFISH },
473 { IKEV1_ENCR_3DES_CBC, ENCR_3DES },
474 { IKEV1_ENCR_CAST_CBC, ENCR_CAST },
475 { IKEV1_ENCR_AES_CBC, ENCR_AES_CBC },
476 { IKEV1_ENCR_CAMELLIA_CBC, ENCR_CAMELLIA_CBC },
477 };
478
479 /**
480 * Integrity algorithm mapping
481 */
482 static algo_map_t map_integ[] = {
483 { IKEV1_HASH_MD5, AUTH_HMAC_MD5_96 },
484 { IKEV1_HASH_SHA1, AUTH_HMAC_SHA1_96 },
485 { IKEV1_HASH_SHA2_256, AUTH_HMAC_SHA2_256_128 },
486 { IKEV1_HASH_SHA2_384, AUTH_HMAC_SHA2_384_192 },
487 { IKEV1_HASH_SHA2_512, AUTH_HMAC_SHA2_512_256 },
488 };
489
490 /**
491 * PRF algorithm mapping
492 */
493 static algo_map_t map_prf[] = {
494 { IKEV1_HASH_MD5, PRF_HMAC_MD5 },
495 { IKEV1_HASH_SHA1, PRF_HMAC_SHA1 },
496 { IKEV1_HASH_SHA2_256, PRF_HMAC_SHA2_256 },
497 { IKEV1_HASH_SHA2_384, PRF_HMAC_SHA2_384 },
498 { IKEV1_HASH_SHA2_512, PRF_HMAC_SHA2_512 },
499 };
500
501 /**
502 * Get IKEv2 algorithm from IKEv1 identifier
503 */
504 static u_int16_t get_alg_from_ikev1(transform_type_t type, u_int16_t value)
505 {
506 algo_map_t *map;
507 u_int16_t def;
508 int i, count;
509
510 switch (type)
511 {
512 case ENCRYPTION_ALGORITHM:
513 map = map_encr;
514 count = countof(map_encr);
515 def = ENCR_UNDEFINED;
516 break;
517 case INTEGRITY_ALGORITHM:
518 map = map_integ;
519 count = countof(map_integ);
520 def = AUTH_UNDEFINED;
521 break;
522 case PSEUDO_RANDOM_FUNCTION:
523 map = map_prf;
524 count = countof(map_prf);
525 def = PRF_UNDEFINED;
526 break;
527 default:
528 return 0;
529 }
530 for (i = 0; i < count; i++)
531 {
532 if (map[i].ikev1 == value)
533 {
534 return map[i].ikev2;
535 }
536 }
537 return def;
538 }
539
540 /**
541 * Get IKEv1 algorithm from IKEv2 identifier
542 */
543 static u_int16_t get_ikev1_from_alg(transform_type_t type, u_int16_t value)
544 {
545 algo_map_t *map;
546 int i, count;
547
548 switch (type)
549 {
550 case ENCRYPTION_ALGORITHM:
551 map = map_encr;
552 count = countof(map_encr);
553 break;
554 case INTEGRITY_ALGORITHM:
555 map = map_integ;
556 count = countof(map_integ);
557 break;
558 case PSEUDO_RANDOM_FUNCTION:
559 map = map_prf;
560 count = countof(map_prf);
561 break;
562 default:
563 return 0;
564 }
565 for (i = 0; i < count; i++)
566 {
567 if (map[i].ikev2 == value)
568 {
569 return map[i].ikev1;
570 }
571 }
572 return 0;
573 }
574
575 /**
576 * Add an IKE transform to a proposal for IKEv1
577 */
578 static void add_to_proposal_v1_ike(proposal_t *proposal,
579 transform_substructure_t *transform)
580 {
581 transform_attribute_type_t type;
582 transform_attribute_t *tattr;
583 enumerator_t *enumerator;
584 u_int16_t value, key_length = 0;
585 u_int16_t encr = ENCR_UNDEFINED;
586
587 enumerator = transform->create_attribute_enumerator(transform);
588 while (enumerator->enumerate(enumerator, &tattr))
589 {
590 type = tattr->get_attribute_type(tattr);
591 value = tattr->get_value(tattr);
592 switch (type)
593 {
594 case TATTR_PH1_ENCRYPTION_ALGORITHM:
595 encr = get_alg_from_ikev1(ENCRYPTION_ALGORITHM, value);
596 break;
597 case TATTR_PH1_KEY_LENGTH:
598 key_length = value;
599 break;
600 case TATTR_PH1_HASH_ALGORITHM:
601 proposal->add_algorithm(proposal, INTEGRITY_ALGORITHM,
602 get_alg_from_ikev1(INTEGRITY_ALGORITHM, value), 0);
603 proposal->add_algorithm(proposal, PSEUDO_RANDOM_FUNCTION,
604 get_alg_from_ikev1(PSEUDO_RANDOM_FUNCTION, value), 0);
605 break;
606 case TATTR_PH1_GROUP:
607 proposal->add_algorithm(proposal, DIFFIE_HELLMAN_GROUP,
608 value, 0);
609 break;
610 default:
611 /* TODO-IKEv1: lifetimes, authentication and other attributes */
612 break;
613 }
614 }
615 enumerator->destroy(enumerator);
616
617 if (encr != ENCR_UNDEFINED)
618 {
619 proposal->add_algorithm(proposal, ENCRYPTION_ALGORITHM, encr, key_length);
620 }
621 }
622
623 /**
624 * Add an ESP transform to a proposal for IKEv1
625 */
626 static void add_to_proposal_v1_esp(proposal_t *proposal,
627 transform_substructure_t *transform)
628 {
629 transform_attribute_type_t type;
630 transform_attribute_t *tattr;
631 enumerator_t *enumerator;
632 u_int16_t value, key_length = 0;
633
634 enumerator = transform->create_attribute_enumerator(transform);
635 while (enumerator->enumerate(enumerator, &tattr))
636 {
637 type = tattr->get_attribute_type(tattr);
638 value = tattr->get_value(tattr);
639 switch (type)
640 {
641 case TATTR_PH2_KEY_LENGTH:
642 key_length = value;
643 break;
644 case TATTR_PH2_AUTH_ALGORITHM:
645 proposal->add_algorithm(proposal, INTEGRITY_ALGORITHM,
646 get_alg_from_ikev1(INTEGRITY_ALGORITHM, value), 0);
647 break;
648 default:
649 /* TODO-IKEv1: lifetimes other attributes */
650 break;
651 }
652 }
653 enumerator->destroy(enumerator);
654
655 /* TODO-IKEv1: handle ESN attribute */
656 proposal->add_algorithm(proposal, EXTENDED_SEQUENCE_NUMBERS,
657 NO_EXT_SEQ_NUMBERS, 0);
658
659 proposal->add_algorithm(proposal, ENCRYPTION_ALGORITHM,
660 transform->get_transform_id(transform), key_length);
661 }
662
663 METHOD(proposal_substructure_t, get_proposals, void,
664 private_proposal_substructure_t *this, linked_list_t *proposals)
665 {
666 transform_substructure_t *transform;
667 enumerator_t *enumerator;
668 proposal_t *proposal = NULL;
669 u_int64_t spi = 0;
670
671 switch (this->spi.len)
672 {
673 case 4:
674 spi = *((u_int32_t*)this->spi.ptr);
675 break;
676 case 8:
677 spi = *((u_int64_t*)this->spi.ptr);
678 break;
679 default:
680 break;
681 }
682
683 enumerator = this->transforms->create_enumerator(this->transforms);
684 while (enumerator->enumerate(enumerator, &transform))
685 {
686 if (!proposal)
687 {
688 proposal = proposal_create(this->protocol_id, this->proposal_number);
689 proposal->set_spi(proposal, spi);
690 proposals->insert_last(proposals, proposal);
691 }
692 if (this->type == PROPOSAL_SUBSTRUCTURE)
693 {
694 add_to_proposal_v2(proposal, transform);
695 }
696 else
697 {
698 switch (this->protocol_id)
699 {
700 case PROTO_IKE:
701 add_to_proposal_v1_ike(proposal, transform);
702 break;
703 case PROTO_ESP:
704 add_to_proposal_v1_esp(proposal, transform);
705 break;
706 default:
707 break;
708 }
709 /* create a new proposal for each transform in IKEv1 */
710 proposal = NULL;
711 }
712 }
713 enumerator->destroy(enumerator);
714 }
715
716 METHOD(proposal_substructure_t, create_substructure_enumerator, enumerator_t*,
717 private_proposal_substructure_t *this)
718 {
719 return this->transforms->create_enumerator(this->transforms);
720 }
721
722 METHOD2(payload_t, proposal_substructure_t, destroy, void,
723 private_proposal_substructure_t *this)
724 {
725 this->transforms->destroy_offset(this->transforms,
726 offsetof(payload_t, destroy));
727 chunk_free(&this->spi);
728 free(this);
729 }
730
731 /*
732 * Described in header.
733 */
734 proposal_substructure_t *proposal_substructure_create(payload_type_t type)
735 {
736 private_proposal_substructure_t *this;
737
738 INIT(this,
739 .public = {
740 .payload_interface = {
741 .verify = _verify,
742 .get_encoding_rules = _get_encoding_rules,
743 .get_header_length = _get_header_length,
744 .get_length = _get_length,
745 .get_next_type = _get_next_type,
746 .set_next_type = _set_next_type,
747 .get_type = _get_type,
748 .destroy = _destroy,
749 },
750 .set_proposal_number = _set_proposal_number,
751 .get_proposal_number = _get_proposal_number,
752 .set_protocol_id = _set_protocol_id,
753 .get_protocol_id = _get_protocol_id,
754 .set_is_last_proposal = _set_is_last_proposal,
755 .get_proposals = _get_proposals,
756 .create_substructure_enumerator = _create_substructure_enumerator,
757 .set_spi = _set_spi,
758 .get_spi = _get_spi,
759 .destroy = _destroy,
760 },
761 .next_payload = NO_PAYLOAD,
762 .transforms = linked_list_create(),
763 .type = type,
764 );
765 compute_length(this);
766
767 return &this->public;
768 }
769
770 /**
771 * Add an IKEv1 IKE proposal to the substructure
772 */
773 static void set_from_proposal_v1_ike(private_proposal_substructure_t *this,
774 proposal_t *proposal, int number)
775 {
776 transform_substructure_t *transform;
777 u_int16_t alg, key_size;
778 enumerator_t *enumerator;
779
780 transform = transform_substructure_create_type(TRANSFORM_SUBSTRUCTURE_V1,
781 number, IKEV1_TRANSID_KEY_IKE);
782
783 enumerator = proposal->create_enumerator(proposal, ENCRYPTION_ALGORITHM);
784 if (enumerator->enumerate(enumerator, &alg, &key_size))
785 {
786 alg = get_ikev1_from_alg(ENCRYPTION_ALGORITHM, alg);
787 if (alg)
788 {
789 transform->add_transform_attribute(transform,
790 transform_attribute_create_value(TRANSFORM_ATTRIBUTE_V1,
791 TATTR_PH1_ENCRYPTION_ALGORITHM, alg));
792 if (key_size)
793 {
794 transform->add_transform_attribute(transform,
795 transform_attribute_create_value(TRANSFORM_ATTRIBUTE_V1,
796 TATTR_PH1_KEY_LENGTH, key_size));
797 }
798 }
799 }
800 enumerator->destroy(enumerator);
801
802 /* encode the integrity algorithm as hash and assume use the same PRF */
803 enumerator = proposal->create_enumerator(proposal, INTEGRITY_ALGORITHM);
804 if (enumerator->enumerate(enumerator, &alg, &key_size))
805 {
806 alg = get_ikev1_from_alg(INTEGRITY_ALGORITHM, alg);
807 if (alg)
808 {
809 transform->add_transform_attribute(transform,
810 transform_attribute_create_value(TRANSFORM_ATTRIBUTE_V1,
811 TATTR_PH1_HASH_ALGORITHM, alg));
812 }
813 }
814 enumerator->destroy(enumerator);
815
816 enumerator = proposal->create_enumerator(proposal, DIFFIE_HELLMAN_GROUP);
817 if (enumerator->enumerate(enumerator, &alg, &key_size))
818 {
819 transform->add_transform_attribute(transform,
820 transform_attribute_create_value(TRANSFORM_ATTRIBUTE_V1,
821 TATTR_PH1_GROUP, alg));
822 }
823 enumerator->destroy(enumerator);
824
825 /* TODO-IKEv1: Add lifetime, non-fixed auth-method and other attributes */
826 if(1) /* TODO-IKEv1: Change to 0 if XAUTH is desired. */
827 {
828 transform->add_transform_attribute(transform,
829 transform_attribute_create_value(TRANSFORM_ATTRIBUTE_V1,
830 TATTR_PH1_AUTH_METHOD, IKEV1_AUTH_PSK));
831 }else{
832 transform->add_transform_attribute(transform,
833 transform_attribute_create_value(TRANSFORM_ATTRIBUTE_V1,
834 TATTR_PH1_AUTH_METHOD, IKEV1_AUTH_XAUTH_INIT_PSK));
835 }
836 transform->add_transform_attribute(transform,
837 transform_attribute_create_value(TRANSFORM_ATTRIBUTE_V1,
838 TATTR_PH1_LIFE_TYPE, IKEV1_LIFE_TYPE_SECONDS));
839 transform->add_transform_attribute(transform,
840 transform_attribute_create_value(TRANSFORM_ATTRIBUTE_V1,
841 TATTR_PH1_LIFE_DURATION, 10800));
842
843 add_transform_substructure(this, transform);
844 }
845
846 /**
847 * Add an IKEv1 ESP proposal to the substructure
848 */
849 static void set_from_proposal_v1_esp(private_proposal_substructure_t *this,
850 proposal_t *proposal, int number)
851 {
852 transform_substructure_t *transform = NULL;
853 u_int16_t alg, key_size;
854 enumerator_t *enumerator;
855
856 enumerator = proposal->create_enumerator(proposal, ENCRYPTION_ALGORITHM);
857 if (enumerator->enumerate(enumerator, &alg, &key_size))
858 {
859 transform = transform_substructure_create_type(TRANSFORM_SUBSTRUCTURE_V1,
860 number, alg);
861 if (key_size)
862 {
863 transform->add_transform_attribute(transform,
864 transform_attribute_create_value(TRANSFORM_ATTRIBUTE_V1,
865 TATTR_PH2_KEY_LENGTH, key_size));
866 }
867 }
868 enumerator->destroy(enumerator);
869 if (!transform)
870 {
871 return;
872 }
873
874 enumerator = proposal->create_enumerator(proposal, INTEGRITY_ALGORITHM);
875 if (enumerator->enumerate(enumerator, &alg, &key_size))
876 {
877 alg = get_ikev1_from_alg(INTEGRITY_ALGORITHM, alg);
878 if (alg)
879 {
880 transform->add_transform_attribute(transform,
881 transform_attribute_create_value(TRANSFORM_ATTRIBUTE_V1,
882 TATTR_PH2_AUTH_ALGORITHM, alg));
883 }
884 }
885 enumerator->destroy(enumerator);
886
887 /* TODO-IKEv1: Add lifetime and other attributes, ESN */
888 transform->add_transform_attribute(transform,
889 transform_attribute_create_value(TRANSFORM_ATTRIBUTE_V1,
890 TATTR_PH2_ENCAP_MODE, IKEV1_ENCAP_TUNNEL));
891 transform->add_transform_attribute(transform,
892 transform_attribute_create_value(TRANSFORM_ATTRIBUTE_V1,
893 TATTR_PH2_SA_LIFE_TYPE, IKEV1_LIFE_TYPE_SECONDS));
894 transform->add_transform_attribute(transform,
895 transform_attribute_create_value(TRANSFORM_ATTRIBUTE_V1,
896 TATTR_PH2_SA_LIFE_DURATION, 3600));
897
898 add_transform_substructure(this, transform);
899 }
900
901 /**
902 * Add an IKEv2 proposal to the substructure
903 */
904 static void set_from_proposal_v2(private_proposal_substructure_t *this,
905 proposal_t *proposal)
906 {
907 transform_substructure_t *transform;
908 u_int16_t alg, key_size;
909 enumerator_t *enumerator;
910
911 /* encryption algorithm is only available in ESP */
912 enumerator = proposal->create_enumerator(proposal, ENCRYPTION_ALGORITHM);
913 while (enumerator->enumerate(enumerator, &alg, &key_size))
914 {
915 transform = transform_substructure_create_type(TRANSFORM_SUBSTRUCTURE,
916 ENCRYPTION_ALGORITHM, alg);
917 if (key_size)
918 {
919 transform->add_transform_attribute(transform,
920 transform_attribute_create_value(TRANSFORM_ATTRIBUTE,
921 TATTR_IKEV2_KEY_LENGTH, key_size));
922 }
923 add_transform_substructure(this, transform);
924 }
925 enumerator->destroy(enumerator);
926
927 /* integrity algorithms */
928 enumerator = proposal->create_enumerator(proposal, INTEGRITY_ALGORITHM);
929 while (enumerator->enumerate(enumerator, &alg, &key_size))
930 {
931 transform = transform_substructure_create_type(TRANSFORM_SUBSTRUCTURE,
932 INTEGRITY_ALGORITHM, alg);
933 add_transform_substructure(this, transform);
934 }
935 enumerator->destroy(enumerator);
936
937 /* prf algorithms */
938 enumerator = proposal->create_enumerator(proposal, PSEUDO_RANDOM_FUNCTION);
939 while (enumerator->enumerate(enumerator, &alg, &key_size))
940 {
941 transform = transform_substructure_create_type(TRANSFORM_SUBSTRUCTURE,
942 PSEUDO_RANDOM_FUNCTION, alg);
943 add_transform_substructure(this, transform);
944 }
945 enumerator->destroy(enumerator);
946
947 /* dh groups */
948 enumerator = proposal->create_enumerator(proposal, DIFFIE_HELLMAN_GROUP);
949 while (enumerator->enumerate(enumerator, &alg, NULL))
950 {
951 transform = transform_substructure_create_type(TRANSFORM_SUBSTRUCTURE,
952 DIFFIE_HELLMAN_GROUP, alg);
953 add_transform_substructure(this, transform);
954 }
955 enumerator->destroy(enumerator);
956
957 /* extended sequence numbers */
958 enumerator = proposal->create_enumerator(proposal, EXTENDED_SEQUENCE_NUMBERS);
959 while (enumerator->enumerate(enumerator, &alg, NULL))
960 {
961 transform = transform_substructure_create_type(TRANSFORM_SUBSTRUCTURE,
962 EXTENDED_SEQUENCE_NUMBERS, alg);
963 add_transform_substructure(this, transform);
964 }
965 enumerator->destroy(enumerator);
966 }
967
968 /*
969 * Described in header.
970 */
971 proposal_substructure_t *proposal_substructure_create_from_proposal(
972 payload_type_t type, proposal_t *proposal)
973 {
974 private_proposal_substructure_t *this;
975 u_int64_t spi64;
976 u_int32_t spi32;
977
978 this = (private_proposal_substructure_t*)proposal_substructure_create(type);
979
980 if (type == PROPOSAL_SUBSTRUCTURE)
981 {
982 set_from_proposal_v2(this, proposal);
983 }
984 else
985 {
986 switch (proposal->get_protocol(proposal))
987 {
988 case PROTO_IKE:
989 set_from_proposal_v1_ike(this, proposal, 0);
990 break;
991 case PROTO_ESP:
992 set_from_proposal_v1_esp(this, proposal, 0);
993 break;
994 default:
995 break;
996 }
997 }
998 /* add SPI, if necessary */
999 switch (proposal->get_protocol(proposal))
1000 {
1001 case PROTO_AH:
1002 case PROTO_ESP:
1003 spi32 = proposal->get_spi(proposal);
1004 this->spi = chunk_clone(chunk_from_thing(spi32));
1005 this->spi_size = this->spi.len;
1006 break;
1007 case PROTO_IKE:
1008 spi64 = proposal->get_spi(proposal);
1009 if (spi64)
1010 { /* IKE only uses SPIS when rekeying, but on initial setup */
1011 this->spi = chunk_clone(chunk_from_thing(spi64));
1012 this->spi_size = this->spi.len;
1013 }
1014 break;
1015 default:
1016 break;
1017 }
1018 this->proposal_number = proposal->get_number(proposal);
1019 this->protocol_id = proposal->get_protocol(proposal);
1020 compute_length(this);
1021
1022 return &this->public;
1023 }
1024
1025 /**
1026 * See header.
1027 */
1028 proposal_substructure_t *proposal_substructure_create_from_proposals(
1029 linked_list_t *proposals)
1030 {
1031 private_proposal_substructure_t *this = NULL;
1032 enumerator_t *enumerator;
1033 proposal_t *proposal;
1034 int number = 0;
1035
1036 enumerator = proposals->create_enumerator(proposals);
1037 while (enumerator->enumerate(enumerator, &proposal))
1038 {
1039 if (!this)
1040 {
1041 this = (private_proposal_substructure_t*)
1042 proposal_substructure_create_from_proposal(
1043 PROPOSAL_SUBSTRUCTURE_V1, proposal);
1044 }
1045 else
1046 {
1047 switch (proposal->get_protocol(proposal))
1048 {
1049 case PROTO_IKE:
1050 set_from_proposal_v1_ike(this, proposal, ++number);
1051 break;
1052 case PROTO_ESP:
1053 set_from_proposal_v1_esp(this, proposal, ++number);
1054 break;
1055 default:
1056 break;
1057 }
1058 }
1059 }
1060 enumerator->destroy(enumerator);
1061
1062 return &this->public;
1063 }
strongSwan - IPsec VPN