Message rules for IKEv1 ID_PROT exchange added.
authorTobias Brunner <tobias@strongswan.org>
Tue, 15 Nov 2011 15:13:50 +0000 (16:13 +0100)
committerTobias Brunner <tobias@strongswan.org>
Tue, 20 Mar 2012 16:30:40 +0000 (17:30 +0100)
These rules are quite broad and cover main mode with at least PSK and
signature based authentication.

src/libcharon/encoding/message.c

index fa724e4..eab3427 100644 (file)
@@ -414,6 +414,72 @@ static payload_order_t me_connect_r_order[] = {
 };
 #endif /* ME */
 
+#ifdef USE_IKEV1
+/**
+ * Message rule for ID_PROT from initiator.
+ */
+static payload_rule_t id_prot_i_rules[] = {
+/*     payload type                            min     max                                             encr    suff */
+       {NOTIFICATION_V1,                       0,      MAX_NOTIFY_PAYLOADS,    FALSE,  FALSE},
+       {SECURITY_ASSOCIATION_V1,       0,      1,                                              FALSE,  FALSE},
+       {KEY_EXCHANGE_V1,                       0,      1,                                              FALSE,  FALSE},
+       {NONCE_V1,                                      0,      1,                                              FALSE,  FALSE},
+       {VENDOR_ID_V1,                          0,      MAX_VID_PAYLOADS,               FALSE,  FALSE},
+       {ID_V1,                                         0,      1,                                              TRUE,   FALSE},
+       {CERTIFICATE_V1,                        0,      1,                                              TRUE,   FALSE},
+       {SIGNATURE_V1,                          0,      1,                                              TRUE,   FALSE},
+       {HASH_V1,                                       0,      1,                                              TRUE,   FALSE},
+};
+
+/**
+ * payload order for ID_PROT from initiator.
+ */
+static payload_order_t id_prot_i_order[] = {
+/*     payload type                            notify type */
+       {SECURITY_ASSOCIATION_V1,       0},
+       {KEY_EXCHANGE_V1,                       0},
+       {NONCE_V1,                                      0},
+       {ID_V1,                                         0},
+       {CERTIFICATE_V1,                        0},
+       {SIGNATURE_V1,                          0},
+       {HASH_V1,                                       0},
+       {NOTIFICATION_V1,                       0},
+       {VENDOR_ID_V1,                          0},
+};
+
+/**
+ * Message rule for ID_PROT from responder.
+ */
+static payload_rule_t id_prot_r_rules[] = {
+/*     payload type                            min     max                                             encr    suff */
+       {NOTIFICATION_V1,                       0,      MAX_NOTIFY_PAYLOADS,    FALSE,  FALSE},
+       {SECURITY_ASSOCIATION_V1,       0,      1,                                              FALSE,  FALSE},
+       {KEY_EXCHANGE_V1,                       0,      1,                                              FALSE,  FALSE},
+       {NONCE_V1,                                      0,      1,                                              FALSE,  FALSE},
+       {VENDOR_ID_V1,                          0,      MAX_VID_PAYLOADS,               FALSE,  FALSE},
+       {ID_V1,                                         0,      1,                                              TRUE,   FALSE},
+       {CERTIFICATE_V1,                        0,      1,                                              TRUE,   FALSE},
+       {SIGNATURE_V1,                          0,      1,                                              TRUE,   FALSE},
+       {HASH_V1,                                       0,      1,                                              TRUE,   FALSE},
+};
+
+/**
+ * payload order for ID_PROT from responder.
+ */
+static payload_order_t id_prot_r_order[] = {
+/*     payload type                            notify type */
+       {SECURITY_ASSOCIATION_V1,       0},
+       {KEY_EXCHANGE_V1,                       0},
+       {NONCE_V1,                                      0},
+       {ID_V1,                                         0},
+       {CERTIFICATE_V1,                        0},
+       {SIGNATURE_V1,                          0},
+       {HASH_V1,                                       0},
+       {NOTIFICATION_V1,                       0},
+       {VENDOR_ID_V1,                          0},
+};
+#endif /* USE_IKEV1 */
+
 /**
  * Message rules, defines allowed payloads.
  */
@@ -460,6 +526,17 @@ static message_rule_t message_rules[] = {
                countof(me_connect_r_order), me_connect_r_order,
        },
 #endif /* ME */
+#ifdef USE_IKEV1
+       {ID_PROT,                       TRUE,   FALSE,
+               countof(id_prot_i_rules), id_prot_i_rules,
+               countof(id_prot_i_order), id_prot_i_order,
+       },
+       {ID_PROT,                       FALSE,  FALSE,
+               countof(id_prot_r_rules), id_prot_r_rules,
+               countof(id_prot_r_order), id_prot_r_order,
+       },
+       /* TODO-IKEv1: define rules for other exchanges */
+#endif /* USE_IKEV1 */
 };