projects / strongswan.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Implemented IKEv1 attribute encoding in SA payload
[strongswan.git] / src / libcharon / encoding / payloads / sa_payload.c
1 /*
2 * Copyright (C) 2005-2010 Martin Willi
3 * Copyright (C) 2005 Jan Hutter
4 * Hochschule fuer Technik Rapperswil
5 *
6 * This program is free software; you can redistribute it and/or modify it
7 * under the terms of the GNU General Public License as published by the
8 * Free Software Foundation; either version 2 of the License, or (at your
9 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
10 *
11 * This program is distributed in the hope that it will be useful, but
12 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
13 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
14 * for more details.
15 */
16
17 #include <stddef.h>
18
19 #include "sa_payload.h"
20
21 #include <encoding/payloads/encodings.h>
22 #include <utils/linked_list.h>
23 #include <daemon.h>
24
25 /* IKEv1 situation */
26 #define SIT_IDENTITY_ONLY 1
27
28 typedef struct private_sa_payload_t private_sa_payload_t;
29
30 /**
31 * Private data of an sa_payload_t object.
32 */
33 struct private_sa_payload_t {
34
35 /**
36 * Public sa_payload_t interface.
37 */
38 sa_payload_t public;
39
40 /**
41 * Next payload type.
42 */
43 u_int8_t next_payload;
44
45 /**
46 * Critical flag.
47 */
48 bool critical;
49
50 /**
51 * Reserved bits
52 */
53 bool reserved[8];
54
55 /**
56 * Length of this payload.
57 */
58 u_int16_t payload_length;
59
60 /**
61 * Proposals in this payload are stored in a linked_list_t.
62 */
63 linked_list_t *proposals;
64
65 /**
66 * Type of this payload, V1 or V2
67 */
68 payload_type_t type;
69
70 /**
71 * IKEv1 DOI
72 */
73 u_int32_t doi;
74
75 /**
76 * IKEv1 situation
77 */
78 u_int32_t situation;
79 };
80
81 /**
82 * Encoding rules for IKEv1 SA payload
83 */
84 static encoding_rule_t encodings_v1[] = {
85 /* 1 Byte next payload type, stored in the field next_payload */
86 { U_INT_8, offsetof(private_sa_payload_t, next_payload) },
87 /* 8 reserved bits */
88 { RESERVED_BIT, offsetof(private_sa_payload_t, reserved[0]) },
89 { RESERVED_BIT, offsetof(private_sa_payload_t, reserved[1]) },
90 { RESERVED_BIT, offsetof(private_sa_payload_t, reserved[2]) },
91 { RESERVED_BIT, offsetof(private_sa_payload_t, reserved[3]) },
92 { RESERVED_BIT, offsetof(private_sa_payload_t, reserved[4]) },
93 { RESERVED_BIT, offsetof(private_sa_payload_t, reserved[5]) },
94 { RESERVED_BIT, offsetof(private_sa_payload_t, reserved[6]) },
95 { RESERVED_BIT, offsetof(private_sa_payload_t, reserved[7]) },
96 /* Length of the whole SA payload*/
97 { PAYLOAD_LENGTH, offsetof(private_sa_payload_t, payload_length) },
98 /* DOI*/
99 { U_INT_32, offsetof(private_sa_payload_t, doi) },
100 /* Situation*/
101 { U_INT_32, offsetof(private_sa_payload_t, situation) },
102 /* Proposals are stored in a proposal substructure list */
103 { PAYLOAD_LIST + PROPOSAL_SUBSTRUCTURE_V1,
104 offsetof(private_sa_payload_t, proposals) },
105 };
106
107 /*
108 1 2 3
109 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
110 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
111 ! Next Payload ! RESERVED ! Payload Length !
112 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
113 ! DOI !
114 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
115 ! Situation !
116 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
117 ! !
118 ~ <Proposals> ~
119 ! !
120 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
121 */
122
123 /**
124 * Encoding rules for IKEv2 SA payload
125 */
126 static encoding_rule_t encodings_v2[] = {
127 /* 1 Byte next payload type, stored in the field next_payload */
128 { U_INT_8, offsetof(private_sa_payload_t, next_payload) },
129 /* the critical bit */
130 { FLAG, offsetof(private_sa_payload_t, critical) },
131 /* 7 Bit reserved bits */
132 { RESERVED_BIT, offsetof(private_sa_payload_t, reserved[0]) },
133 { RESERVED_BIT, offsetof(private_sa_payload_t, reserved[1]) },
134 { RESERVED_BIT, offsetof(private_sa_payload_t, reserved[2]) },
135 { RESERVED_BIT, offsetof(private_sa_payload_t, reserved[3]) },
136 { RESERVED_BIT, offsetof(private_sa_payload_t, reserved[4]) },
137 { RESERVED_BIT, offsetof(private_sa_payload_t, reserved[5]) },
138 { RESERVED_BIT, offsetof(private_sa_payload_t, reserved[6]) },
139 /* Length of the whole SA payload*/
140 { PAYLOAD_LENGTH, offsetof(private_sa_payload_t, payload_length) },
141 /* Proposals are stored in a proposal substructure list */
142 { PAYLOAD_LIST + PROPOSAL_SUBSTRUCTURE,
143 offsetof(private_sa_payload_t, proposals) },
144 };
145
146 /*
147 1 2 3
148 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
149 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
150 ! Next Payload !C! RESERVED ! Payload Length !
151 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
152 ! !
153 ~ <Proposals> ~
154 ! !
155 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
156 */
157
158 METHOD(payload_t, verify, status_t,
159 private_sa_payload_t *this)
160 {
161 int expected_number = 0, current_number;
162 status_t status = SUCCESS;
163 enumerator_t *enumerator;
164 proposal_substructure_t *substruct;
165
166 if (this->type == SECURITY_ASSOCIATION)
167 {
168 expected_number = 1;
169 }
170
171 /* check proposal numbering */
172 enumerator = this->proposals->create_enumerator(this->proposals);
173 while (enumerator->enumerate(enumerator, (void**)&substruct))
174 {
175 current_number = substruct->get_proposal_number(substruct);
176 if (current_number < expected_number)
177 {
178 DBG1(DBG_ENC, "proposal number smaller than previous");
179 status = FAILED;
180 break;
181 }
182
183 status = substruct->payload_interface.verify(&substruct->payload_interface);
184 if (status != SUCCESS)
185 {
186 DBG1(DBG_ENC, "PROPOSAL_SUBSTRUCTURE verification failed");
187 break;
188 }
189 expected_number = current_number;
190 }
191 enumerator->destroy(enumerator);
192 return status;
193 }
194
195 METHOD(payload_t, get_encoding_rules, int,
196 private_sa_payload_t *this, encoding_rule_t **rules)
197 {
198 if (this->type == SECURITY_ASSOCIATION_V1)
199 {
200 *rules = encodings_v1;
201 return countof(encodings_v1);
202 }
203 *rules = encodings_v2;
204 return countof(encodings_v2);
205 }
206
207 METHOD(payload_t, get_header_length, int,
208 private_sa_payload_t *this)
209 {
210 if (this->type == SECURITY_ASSOCIATION_V1)
211 {
212 return 12;
213 }
214 return 4;
215 }
216
217 METHOD(payload_t, get_type, payload_type_t,
218 private_sa_payload_t *this)
219 {
220 return this->type;
221 }
222
223 METHOD(payload_t, get_next_type, payload_type_t,
224 private_sa_payload_t *this)
225 {
226 return this->next_payload;
227 }
228
229 METHOD(payload_t, set_next_type, void,
230 private_sa_payload_t *this,payload_type_t type)
231 {
232 this->next_payload = type;
233 }
234
235 /**
236 * recompute length of the payload.
237 */
238 static void compute_length(private_sa_payload_t *this)
239 {
240 enumerator_t *enumerator;
241 payload_t *current;
242
243 this->payload_length = get_header_length(this);
244
245 enumerator = this->proposals->create_enumerator(this->proposals);
246 while (enumerator->enumerate(enumerator, (void **)&current))
247 {
248 this->payload_length += current->get_length(current);
249 }
250 enumerator->destroy(enumerator);
251 }
252
253 METHOD(payload_t, get_length, size_t,
254 private_sa_payload_t *this)
255 {
256 return this->payload_length;
257 }
258
259 /**
260 * Create a transform substructure from a proposal, add to payload
261 */
262 static void add_proposal_v2(private_sa_payload_t *this, proposal_t *proposal)
263 {
264 proposal_substructure_t *substruct, *last;
265 u_int count;
266
267 substruct = proposal_substructure_create_from_proposal_v2(proposal);
268 count = this->proposals->get_count(this->proposals);
269 if (count > 0)
270 {
271 this->proposals->get_last(this->proposals, (void**)&last);
272 /* last transform is now not anymore last one */
273 last->set_is_last_proposal(last, FALSE);
274 }
275 substruct->set_is_last_proposal(substruct, TRUE);
276 if (proposal->get_number(proposal))
277 { /* use the selected proposals number, if any */
278 substruct->set_proposal_number(substruct, proposal->get_number(proposal));
279 }
280 else
281 {
282 substruct->set_proposal_number(substruct, count + 1);
283 }
284 this->proposals->insert_last(this->proposals, substruct);
285 compute_length(this);
286 }
287
288 METHOD(sa_payload_t, get_proposals, linked_list_t*,
289 private_sa_payload_t *this)
290 {
291 int struct_number = 0;
292 int ignore_struct_number = 0;
293 enumerator_t *enumerator;
294 proposal_substructure_t *substruct;
295 proposal_t *proposal;
296 linked_list_t *list;
297
298 if (this->type == SECURITY_ASSOCIATION_V1)
299 { /* IKEv1 proposals start with 0 */
300 struct_number = ignore_struct_number = -1;
301 }
302
303 list = linked_list_create();
304 /* we do not support proposals split up to two proposal substructures, as
305 * AH+ESP bundles are not supported in RFC4301 anymore.
306 * To handle such structures safely, we just skip proposals with multiple
307 * protocols.
308 */
309 enumerator = this->proposals->create_enumerator(this->proposals);
310 while (enumerator->enumerate(enumerator, &substruct))
311 {
312 /* check if a proposal has a single protocol */
313 if (substruct->get_proposal_number(substruct) == struct_number)
314 {
315 if (ignore_struct_number < struct_number)
316 {
317 /* remove an already added, if first of series */
318 if (list->remove_last(list, (void**)&proposal) == SUCCESS)
319 {
320 proposal->destroy(proposal);
321 }
322 ignore_struct_number = struct_number;
323 }
324 continue;
325 }
326 struct_number++;
327 substruct->get_proposals(substruct, list);
328 }
329 enumerator->destroy(enumerator);
330 return list;
331 }
332
333 METHOD(sa_payload_t, create_substructure_enumerator, enumerator_t*,
334 private_sa_payload_t *this)
335 {
336 return this->proposals->create_enumerator(this->proposals);
337 }
338
339 METHOD(sa_payload_t, get_lifetime, u_int32_t,
340 private_sa_payload_t *this)
341 {
342 proposal_substructure_t *substruct;
343 enumerator_t *enumerator;
344 u_int32_t lifetime = 0;
345
346 enumerator = this->proposals->create_enumerator(this->proposals);
347 if (enumerator->enumerate(enumerator, &substruct))
348 {
349 lifetime = substruct->get_lifetime(substruct);
350 }
351 enumerator->destroy(enumerator);
352
353 return lifetime;
354 }
355
356 METHOD(sa_payload_t, get_lifebytes, u_int64_t,
357 private_sa_payload_t *this)
358 {
359 proposal_substructure_t *substruct;
360 enumerator_t *enumerator;
361 u_int64_t lifebytes = 0;
362
363 enumerator = this->proposals->create_enumerator(this->proposals);
364 if (enumerator->enumerate(enumerator, &substruct))
365 {
366 lifebytes = substruct->get_lifebytes(substruct);
367 }
368 enumerator->destroy(enumerator);
369
370 return lifebytes;
371 }
372
373 METHOD(sa_payload_t, get_auth_method, auth_method_t,
374 private_sa_payload_t *this)
375 {
376 proposal_substructure_t *substruct;
377 enumerator_t *enumerator;
378 auth_method_t method = AUTH_NONE;
379
380 enumerator = this->proposals->create_enumerator(this->proposals);
381 if (enumerator->enumerate(enumerator, &substruct))
382 {
383 method = substruct->get_auth_method(substruct);
384 }
385 enumerator->destroy(enumerator);
386
387 return method;
388 }
389
390 METHOD(sa_payload_t, get_encap_mode, ipsec_mode_t,
391 private_sa_payload_t *this, bool *udp)
392 {
393 proposal_substructure_t *substruct;
394 enumerator_t *enumerator;
395 ipsec_mode_t mode = MODE_NONE;
396
397 enumerator = this->proposals->create_enumerator(this->proposals);
398 if (enumerator->enumerate(enumerator, &substruct))
399 {
400 mode = substruct->get_encap_mode(substruct, udp);
401 }
402 enumerator->destroy(enumerator);
403
404 return mode;
405 }
406
407 METHOD2(payload_t, sa_payload_t, destroy, void,
408 private_sa_payload_t *this)
409 {
410 this->proposals->destroy_offset(this->proposals,
411 offsetof(payload_t, destroy));
412 free(this);
413 }
414
415 /*
416 * Described in header.
417 */
418 sa_payload_t *sa_payload_create(payload_type_t type)
419 {
420 private_sa_payload_t *this;
421
422 INIT(this,
423 .public = {
424 .payload_interface = {
425 .verify = _verify,
426 .get_encoding_rules = _get_encoding_rules,
427 .get_header_length = _get_header_length,
428 .get_length = _get_length,
429 .get_next_type = _get_next_type,
430 .set_next_type = _set_next_type,
431 .get_type = _get_type,
432 .destroy = _destroy,
433 },
434 .get_proposals = _get_proposals,
435 .create_substructure_enumerator = _create_substructure_enumerator,
436 .get_lifetime = _get_lifetime,
437 .get_lifebytes = _get_lifebytes,
438 .get_auth_method = _get_auth_method,
439 .get_encap_mode = _get_encap_mode,
440 .destroy = _destroy,
441 },
442 .next_payload = NO_PAYLOAD,
443 .proposals = linked_list_create(),
444 .type = type,
445 /* for IKEv1 only */
446 .doi = IKEV1_DOI_IPSEC,
447 .situation = SIT_IDENTITY_ONLY,
448 );
449
450 compute_length(this);
451
452 return &this->public;
453 }
454
455 /*
456 * Described in header.
457 */
458 sa_payload_t *sa_payload_create_from_proposals_v2(linked_list_t *proposals)
459 {
460 private_sa_payload_t *this;
461 enumerator_t *enumerator;
462 proposal_t *proposal;
463
464 this = (private_sa_payload_t*)sa_payload_create(SECURITY_ASSOCIATION);
465 enumerator = proposals->create_enumerator(proposals);
466 while (enumerator->enumerate(enumerator, &proposal))
467 {
468 add_proposal_v2(this, proposal);
469 }
470 enumerator->destroy(enumerator);
471
472 return &this->public;
473 }
474
475 /*
476 * Described in header.
477 */
478 sa_payload_t *sa_payload_create_from_proposal_v2(proposal_t *proposal)
479 {
480 private_sa_payload_t *this;
481
482 this = (private_sa_payload_t*)sa_payload_create(SECURITY_ASSOCIATION);
483 add_proposal_v2(this, proposal);
484
485 return &this->public;
486
487 }
488
489 /*
490 * Described in header.
491 */
492 sa_payload_t *sa_payload_create_from_proposals_v1(linked_list_t *proposals,
493 u_int32_t lifetime, u_int64_t lifebytes,
494 auth_method_t auth, ipsec_mode_t mode, bool udp)
495 {
496 proposal_substructure_t *substruct;
497 private_sa_payload_t *this;
498
499 this = (private_sa_payload_t*)sa_payload_create(SECURITY_ASSOCIATION_V1);
500
501 /* IKEv1 encodes multiple proposals in a single substructure
502 * TODO-IKEv1: Encode ESP+AH proposals in two different substructs */
503 substruct = proposal_substructure_create_from_proposals_v1(proposals,
504 lifetime, lifebytes, auth, mode, udp);
505 substruct->set_is_last_proposal(substruct, TRUE);
506 this->proposals->insert_last(this->proposals, substruct);
507 compute_length(this);
508
509 return &this->public;
510 }
511
512 /*
513 * Described in header.
514 */
515 sa_payload_t *sa_payload_create_from_proposal_v1(proposal_t *proposal,
516 u_int32_t lifetime, u_int64_t lifebytes,
517 auth_method_t auth, ipsec_mode_t mode, bool udp)
518 {
519 proposal_substructure_t *substruct;
520 private_sa_payload_t *this;
521
522 this = (private_sa_payload_t*)sa_payload_create(SECURITY_ASSOCIATION_V1);
523
524 substruct = proposal_substructure_create_from_proposal_v1(proposal,
525 lifetime, lifebytes, auth, mode, udp);
526 substruct->set_is_last_proposal(substruct, TRUE);
527 this->proposals->insert_last(this->proposals, substruct);
528 compute_length(this);
529
530 return &this->public;
531 }
strongSwan - IPsec VPN