return OUT_OF_RES;
}
+ proposal->set_proposal_number(proposal, 1);
+ proposal->set_protocol_id(proposal, 1);
+
/*
* Encryption Algorithm
*/
proposal->destroy(proposal);
return OUT_OF_RES;
}
- transform->set_is_last_transform(transform, FALSE);
transform->set_transform_type(transform, ENCRYPTION_ALGORITHM);
transform->set_transform_id(transform, ENCR_AES_CBC);
proposal->destroy(proposal);
return OUT_OF_RES;
}
- transform->set_is_last_transform(transform, FALSE);
transform->set_transform_type(transform, PSEUDO_RANDOM_FUNCTION);
- transform->set_transform_id(transform, PRF_HMAC_SHA1);
+ transform->set_transform_id(transform, PRF_HMAC_MD5);
attribute = transform_attribute_create();
if (attribute == NULL)
proposal->destroy(proposal);
return OUT_OF_RES;
}
- transform->set_is_last_transform(transform, FALSE);
transform->set_transform_type(transform, INTEGRITIY_ALGORITHM);
- transform->set_transform_id(transform, AUTH_HMAC_SHA1_96);
+ transform->set_transform_id(transform, AUTH_HMAC_MD5_96);
attribute = transform_attribute_create();
if (attribute == NULL)
return OUT_OF_RES;
}
attribute->set_attribute_type(attribute, KEY_LENGTH);
- attribute->set_value(attribute, 12);
+ attribute->set_value(attribute, 16);
/*
proposal->destroy(proposal);
return OUT_OF_RES;
}
- transform->set_is_last_transform(transform, FALSE);
transform->set_transform_type(transform, DIFFIE_HELLMAN_GROUP);
transform->set_transform_id(transform, MODP_1024_BIT);
static status_t select_proposals_for_host(private_configuration_manager_t *this, host_t *host, linked_list_iterator_t *in, linked_list_iterator_t *out)
{
+ /* use a default proposal:
+ * - ENCR_AES_CBC 128Bit
+ * - PRF_HMAC_SHA1 128Bit
+ * - AUTH_HMAC_SHA1_96 96Bit
+ * - MODP_1024_BIT
+ */
+ proposal_substructure_t *proposal;
+ transform_substructure_t *transform;
+ transform_attribute_t *attribute;
+ status_t status;
+
+ proposal = proposal_substructure_create();
+ if (proposal == NULL)
+ {
+ return OUT_OF_RES;
+ }
+ proposal->set_proposal_number(proposal, 1);
+ proposal->set_protocol_id(proposal, 1);
- return FAILED;
+ /*
+ * Encryption Algorithm
+ */
+ transform = transform_substructure_create();
+ if (transform == NULL)
+ {
+ proposal->destroy(proposal);
+ return OUT_OF_RES;
+ }
+ status = proposal->add_transform_substructure(proposal, transform);
+ if (status != SUCCESS)
+ {
+ proposal->destroy(proposal);
+ return OUT_OF_RES;
+ }
+ transform->set_transform_type(transform, ENCRYPTION_ALGORITHM);
+ transform->set_transform_id(transform, ENCR_AES_CBC);
+
+ attribute = transform_attribute_create();
+ if (attribute == NULL)
+ {
+ proposal->destroy(proposal);
+ return OUT_OF_RES;
+ }
+ status = transform->add_transform_attribute(transform, attribute);
+ if (status != SUCCESS)
+ {
+ proposal->destroy(proposal);
+ return OUT_OF_RES;
+ }
+ attribute->set_attribute_type(attribute, KEY_LENGTH);
+ attribute->set_value(attribute, 16);
+
+ /*
+ * Pseudo-random Function
+ */
+ transform = transform_substructure_create();
+ if (transform == NULL)
+ {
+ proposal->destroy(proposal);
+ return OUT_OF_RES;
+ }
+ status = proposal->add_transform_substructure(proposal, transform);
+ if (status != SUCCESS)
+ {
+ proposal->destroy(proposal);
+ return OUT_OF_RES;
+ }
+ transform->set_transform_type(transform, PSEUDO_RANDOM_FUNCTION);
+ transform->set_transform_id(transform, PRF_HMAC_MD5);
+
+ attribute = transform_attribute_create();
+ if (attribute == NULL)
+ {
+ proposal->destroy(proposal);
+ return OUT_OF_RES;
+ }
+ status = transform->add_transform_attribute(transform, attribute);
+ if (status != SUCCESS)
+ {
+ proposal->destroy(proposal);
+ return OUT_OF_RES;
+ }
+ attribute->set_attribute_type(attribute, KEY_LENGTH);
+ attribute->set_value(attribute, 16);
+
+
+ /*
+ * Integrity Algorithm
+ */
+ transform = transform_substructure_create();
+ if (transform == NULL)
+ {
+ proposal->destroy(proposal);
+ return OUT_OF_RES;
+ }
+ status = proposal->add_transform_substructure(proposal, transform);
+ if (status != SUCCESS)
+ {
+ proposal->destroy(proposal);
+ return OUT_OF_RES;
+ }
+ transform->set_transform_type(transform, INTEGRITIY_ALGORITHM);
+ transform->set_transform_id(transform, AUTH_HMAC_MD5_96);
+
+ attribute = transform_attribute_create();
+ if (attribute == NULL)
+ {
+ proposal->destroy(proposal);
+ return OUT_OF_RES;
+ }
+ status = transform->add_transform_attribute(transform, attribute);
+ if (status != SUCCESS)
+ {
+ proposal->destroy(proposal);
+ return OUT_OF_RES;
+ }
+ attribute->set_attribute_type(attribute, KEY_LENGTH);
+ attribute->set_value(attribute, 16);
+
+
+ /*
+ * Diffie-Hellman Group
+ */
+ transform = transform_substructure_create();
+ if (transform == NULL)
+ {
+ proposal->destroy(proposal);
+ return OUT_OF_RES;
+ }
+ status = proposal->add_transform_substructure(proposal, transform);
+ if (status != SUCCESS)
+ {
+ proposal->destroy(proposal);
+ return OUT_OF_RES;
+ }
+ transform->set_transform_type(transform, DIFFIE_HELLMAN_GROUP);
+ transform->set_transform_id(transform, MODP_1024_BIT);
+
+ out->insert_after(out, (void*)proposal);
+
+ return SUCCESS;
}
static status_t is_dh_group_allowed_for_host(private_configuration_manager_t *this, host_t *host, diffie_hellman_group_t group, bool *allowed)
* Priority used get matching dh_group number
*/
u_int16_t dh_group_priority;
+
+ /**
+ * selected proposals
+ */
+ linked_list_t *proposals;
/**
*
*/
return SUCCESS;
}
-static status_t transto_ike_sa_init_responded(private_ike_sa_t *this, message_t *message)
+static status_t transto_ike_sa_init_responded(private_ike_sa_t *this, message_t *request)
{
status_t status;
linked_list_iterator_t *payloads;
- message_t *respond;
+ message_t *response;
+ host_t *source, *destination;
- status = message->parse_body(message);
+ /* this is the first message we process, so copy host infos */
+ request->get_source(request, &source);
+ request->get_destination(request, &destination);
+ /* we need to clone them, since we destroy the message later */
+ destination->clone(destination, &(this->me.host));
+ source->clone(source, &(this->other.host));
+
+ /* parse incoming message */
+ status = request->parse_body(request);
if (status != SUCCESS)
{
+ this->logger->log(this->logger, ERROR, "Could not parse body");
return status;
}
-
-
-
-
-
- status = message->get_payload_iterator(message, &payloads);
+ /* iterate over incoming payloads */
+ status = request->get_payload_iterator(request, &payloads);
if (status != SUCCESS)
{
- respond->destroy(respond);
+ request->destroy(request);
return status;
}
while (payloads->has_next(payloads))
{
payload_t *payload;
- payloads->current(payloads, (void**)payload);
+ payloads->current(payloads, (void**)&payload);
+
+ this->logger->log(this->logger, CONTROL|MORE, "Processing payload %s", mapping_find(payload_type_m, payload->get_type(payload)));
switch (payload->get_type(payload))
{
case SECURITY_ASSOCIATION:
{
- sa_payload_t *sa_payload;
- linked_list_iterator_t *proposals;
+ sa_payload_t *sa_payload = (sa_payload_t*)payload;
+ linked_list_iterator_t *suggested_proposals, *accepted_proposals;
+ /* create a list for accepted proposals */
+ if (this->ike_sa_init_data.proposals == NULL) {
+ this->ike_sa_init_data.proposals = linked_list_create();
+ }
+ else
+ {
+ /** @todo destroy list contents */
+ }
+ if (this->ike_sa_init_data.proposals == NULL)
+ {
+ payloads->destroy(payloads);
+ return OUT_OF_RES;
+ }
+ status = this->ike_sa_init_data.proposals->create_iterator(this->ike_sa_init_data.proposals, &accepted_proposals, FALSE);
+ if (status != SUCCESS)
+ {
+ payloads->destroy(payloads);
+ return status;
+ }
+
+ /* get the list of suggested proposals */
+ status = sa_payload->create_proposal_substructure_iterator(sa_payload, &suggested_proposals, TRUE);
+ if (status != SUCCESS)
+ {
+ accepted_proposals->destroy(accepted_proposals);
+ payloads->destroy(payloads);
+ return status;
+ }
- sa_payload = (sa_payload_t*)payload;
- status = sa_payload->create_proposal_substructure_iterator(sa_payload, &proposals, TRUE);
+ /* now let the configuration-manager select a subset of the proposals */
+ status = global_configuration_manager->select_proposals_for_host(global_configuration_manager,
+ this->other.host, suggested_proposals, accepted_proposals);
if (status != SUCCESS)
{
+ suggested_proposals->destroy(suggested_proposals);
+ accepted_proposals->destroy(accepted_proposals);
payloads->destroy(payloads);
return status;
}
- //global_configuration_manager->select_proposals_for_host
+
+ suggested_proposals->destroy(suggested_proposals);
+ accepted_proposals->destroy(accepted_proposals);
+ /* ok, we have what we need for sa_payload */
break;
}
case KEY_EXCHANGE:
{
+ ke_payload_t *ke_payload = (ke_payload_t*)payload;
+ diffie_hellman_t *dh;
+ diffie_hellman_group_t group;
+ bool allowed_group;
+
+ group = ke_payload->get_dh_group_number(ke_payload);
+
+ status = global_configuration_manager->is_dh_group_allowed_for_host(global_configuration_manager,
+ this->other.host, group, &allowed_group);
+ if (status != SUCCESS)
+ {
+ payloads->destroy(payloads);
+ return status;
+ }
+ if (!allowed_group)
+ {
+ /** @todo info reply */
+ }
+
+ dh = diffie_hellman_create(group);
+ if (dh == NULL)
+ {
+ payloads->destroy(payloads);
+ return OUT_OF_RES;
+ }
+
+ status = dh->set_other_public_value(dh, ke_payload->get_key_exchange_data(ke_payload));
+ if (status != SUCCESS)
+ {
+ dh->destroy(dh);
+ payloads->destroy(payloads);
+ return OUT_OF_RES;
+ }
+ /** @todo destroy if there is already one */
+ this->ike_sa_init_data.diffie_hellman = dh;
break;
}
case NONCE:
{
+ nonce_payload_t *nonce_payload = (nonce_payload_t*)payload;
+ chunk_t nonce;
+
+ nonce_payload->get_nonce(nonce_payload, &nonce);
+ /** @todo free if there is already one */
+ this->ike_sa_init_data.received_nonce.ptr = allocator_clone_bytes(nonce.ptr, nonce.len);
+ this->ike_sa_init_data.received_nonce.len = nonce.len;
+ if (this->ike_sa_init_data.received_nonce.ptr == NULL)
+ {
+ payloads->destroy(payloads);
+ return OUT_OF_RES;
+ }
break;
}
default:
{
-
+ /** @todo handle */
}
}
}
+ payloads->destroy(payloads);
+ printf("done.\n");
+
+ /* set up the reply */
+ status = this->build_message(this, IKE_SA_INIT, FALSE, &response);
+ if (status != SUCCESS)
+ {
+ return status;
+ }
return SUCCESS;
}
-static status_t transto_ike_auth_requested(private_ike_sa_t *this, message_t *message)
-{
- return SUCCESS;
+static status_t transto_ike_auth_requested(private_ike_sa_t *this, message_t *response)
+{
+ status_t status;
+ linked_list_iterator_t *payloads;
+
+
+ /* parse incoming message */
+ status = response->parse_body(response);
+ if (status != SUCCESS)
+ {
+ this->logger->log(this->logger, ERROR, "Could not parse body");
+ return status;
+ }
+ /* iterate over incoming payloads */
+ status = response->get_payload_iterator(response, &payloads);
+ if (status != SUCCESS)
+ {
+ response->destroy(response);
+ return status;
+ }
+ while (payloads->has_next(payloads))
+ {
+ payload_t *payload;
+ payloads->current(payloads, (void**)&payload);
+
+ this->logger->log(this->logger, CONTROL|MORE, "Processing payload %s", mapping_find(payload_type_m, payload->get_type(payload)));
+ switch (payload->get_type(payload))
+ {
+// case SECURITY_ASSOCIATION:
+// {
+// sa_payload_t *sa_payload = (sa_payload_t*)payload;
+// linked_list_iterator_t *suggested_proposals, *accepted_proposals;
+// /* create a list for accepted proposals */
+// if (this->ike_sa_init_data.proposals == NULL) {
+// this->ike_sa_init_data.proposals = linked_list_create();
+// }
+// else
+// {
+// /** @todo destroy list contents */
+// }
+// if (this->ike_sa_init_data.proposals == NULL)
+// {
+// payloads->destroy(payloads);
+// return OUT_OF_RES;
+// }
+// status = this->ike_sa_init_data.proposals->create_iterator(this->ike_sa_init_data.proposals, &accepted_proposals, FALSE);
+// if (status != SUCCESS)
+// {
+// payloads->destroy(payloads);
+// return status;
+// }
+//
+// /* get the list of suggested proposals */
+// status = sa_payload->create_proposal_substructure_iterator(sa_payload, &suggested_proposals, TRUE);
+// if (status != SUCCESS)
+// {
+// accepted_proposals->destroy(accepted_proposals);
+// payloads->destroy(payloads);
+// return status;
+// }
+//
+// /* now let the configuration-manager select a subset of the proposals */
+// status = global_configuration_manager->select_proposals_for_host(global_configuration_manager,
+// this->other.host, suggested_proposals, accepted_proposals);
+// if (status != SUCCESS)
+// {
+// suggested_proposals->destroy(suggested_proposals);
+// accepted_proposals->destroy(accepted_proposals);
+// payloads->destroy(payloads);
+// return status;
+// }
+//
+// suggested_proposals->destroy(suggested_proposals);
+// accepted_proposals->destroy(accepted_proposals);
+//
+// /* ok, we have what we need for sa_payload */
+// break;
+// }
+ case KEY_EXCHANGE:
+ {
+ ke_payload_t *ke_payload = (ke_payload_t*)payload;
+ diffie_hellman_t *dh;
+ chunk_t shared_secret;
+
+ dh = this->ike_sa_init_data.diffie_hellman;
+
+
+
+
+ status = dh->set_other_public_value(dh, ke_payload->get_key_exchange_data(ke_payload));
+ if (status != SUCCESS)
+ {
+ dh->destroy(dh);
+ payloads->destroy(payloads);
+ return OUT_OF_RES;
+ }
+
+ status = dh->get_shared_secret(dh, &shared_secret);
+
+ this->logger->log_chunk(this->logger, RAW, "Shared secret", &shared_secret);
+
+ break;
+ }
+ case NONCE:
+ {
+ nonce_payload_t *nonce_payload = (nonce_payload_t*)payload;
+ chunk_t nonce;
+
+ nonce_payload->get_nonce(nonce_payload, &nonce);
+ /** @todo free if there is already one */
+ this->ike_sa_init_data.received_nonce.ptr = allocator_clone_bytes(nonce.ptr, nonce.len);
+ this->ike_sa_init_data.received_nonce.len = nonce.len;
+ if (this->ike_sa_init_data.received_nonce.ptr == NULL)
+ {
+ payloads->destroy(payloads);
+ return OUT_OF_RES;
+ }
+ break;
+ }
+ default:
+ {
+ /** @todo handle */
+ }
+
+ }
+
+ }
+ payloads->destroy(payloads);
+
+ printf("done.\n");
+
+ /* set up the reply */
+ status = this->build_message(this, IKE_SA_INIT, FALSE, &response);
+ if (status != SUCCESS)
+ {
+ return status;
+ }
+
+
+
}
/**
this->ike_sa_init_data.sent_nonce.ptr = NULL;
this->ike_sa_init_data.received_nonce.len = 0;
this->ike_sa_init_data.received_nonce.ptr = NULL;
+ this->ike_sa_init_data.proposals = NULL;
this->message_id_out = 0;
this->message_id_in = 0;