Added not-yet used sa_payload parameters used in IKEv1
authorMartin Willi <martin@revosec.ch>
Thu, 24 Nov 2011 10:39:31 +0000 (11:39 +0100)
committerMartin Willi <martin@revosec.ch>
Tue, 20 Mar 2012 16:30:52 +0000 (17:30 +0100)
src/conftest/hooks/custom_proposal.c
src/conftest/hooks/pretend_auth.c
src/conftest/hooks/set_proposal_number.c
src/libcharon/encoding/payloads/sa_payload.c
src/libcharon/encoding/payloads/sa_payload.h
src/libcharon/sa/authenticators/authenticator.h
src/libcharon/sa/tasks/child_create.c
src/libcharon/sa/tasks/ike_init.c
src/libcharon/sa/tasks/main_mode.c
src/libcharon/sa/tasks/quick_mode.c
src/libhydra/kernel/kernel_ipsec.h

index 9522335..4acea18 100644 (file)
@@ -145,8 +145,7 @@ METHOD(listener_t, message, bool,
                                                                                   proposal->get_protocol(proposal),
                                                                                   proposal->get_spi(proposal));
                                DBG1(DBG_CFG, "injecting custom proposal: %#P", new_props);
-                               new = sa_payload_create_from_proposal_list(
-                                                                                       SECURITY_ASSOCIATION, new_props);
+                               new = sa_payload_create_from_proposals_v2(new_props);
                                message->add_payload(message, (payload_t*)new);
                                new_props->destroy_offset(new_props, offsetof(proposal_t, destroy));
                        }
index 560864d..b8f9614 100644 (file)
@@ -295,8 +295,7 @@ static void process_auth_response(private_pretend_auth_t *this,
        if (this->proposal)
        {
                message->add_payload(message, (payload_t*)
-                                       sa_payload_create_from_proposal(SECURITY_ASSOCIATION,
-                                                                                                       this->proposal));
+                                       sa_payload_create_from_proposal_v2(this->proposal));
        }
        if (this->tsi)
        {
index 32b0155..839ca1f 100644 (file)
@@ -121,7 +121,7 @@ METHOD(listener_t, message, bool,
                        }
                        enumerator->destroy(enumerator);
                }
-               sa = sa_payload_create_from_proposal_list(SECURITY_ASSOCIATION, updated);
+               sa = sa_payload_create_from_proposals_v2(updated);
                list->destroy_offset(list, offsetof(proposal_t, destroy));
                updated->destroy_offset(updated, offsetof(proposal_t, destroy));
                message->add_payload(message, (payload_t*)sa);
index 05695fc..385517b 100644 (file)
@@ -341,6 +341,31 @@ METHOD(sa_payload_t, create_substructure_enumerator, enumerator_t*,
        return this->proposals->create_enumerator(this->proposals);
 }
 
+METHOD(sa_payload_t, get_lifetime, u_int32_t,
+       private_sa_payload_t *this)
+{
+       return 0;
+}
+
+METHOD(sa_payload_t, get_lifebytes, u_int64_t,
+       private_sa_payload_t *this)
+{
+       return 0;
+}
+
+METHOD(sa_payload_t, get_auth_method, auth_method_t,
+       private_sa_payload_t *this)
+{
+       return AUTH_NONE;
+}
+
+METHOD(sa_payload_t, get_encap_mode, ipsec_mode_t,
+       private_sa_payload_t *this, bool *udp)
+{
+       *udp = FALSE;
+       return MODE_NONE;
+}
+
 METHOD2(payload_t, sa_payload_t, destroy, void,
        private_sa_payload_t *this)
 {
@@ -370,6 +395,10 @@ sa_payload_t *sa_payload_create(payload_type_t type)
                        },
                        .get_proposals = _get_proposals,
                        .create_substructure_enumerator = _create_substructure_enumerator,
+                       .get_lifetime = _get_lifetime,
+                       .get_lifebytes = _get_lifebytes,
+                       .get_auth_method = _get_auth_method,
+                       .get_encap_mode = _get_encap_mode,
                        .destroy = _destroy,
                },
                .next_payload = NO_PAYLOAD,
@@ -431,3 +460,80 @@ sa_payload_t *sa_payload_create_from_proposal(payload_type_t type,
 
        return &this->public;
 }
+
+/*
+ * Described in header.
+ */
+sa_payload_t *sa_payload_create_from_proposals_v2(linked_list_t *proposals)
+{
+       private_sa_payload_t *this;
+       enumerator_t *enumerator;
+       proposal_t *proposal;
+
+       this = (private_sa_payload_t*)sa_payload_create(SECURITY_ASSOCIATION);
+       enumerator = proposals->create_enumerator(proposals);
+       while (enumerator->enumerate(enumerator, &proposal))
+       {
+               add_proposal(this, proposal);
+       }
+       enumerator->destroy(enumerator);
+
+       return &this->public;
+}
+
+/*
+ * Described in header.
+ */
+sa_payload_t *sa_payload_create_from_proposal_v2(proposal_t *proposal)
+{
+       private_sa_payload_t *this;
+
+       this = (private_sa_payload_t*)sa_payload_create(SECURITY_ASSOCIATION);
+       add_proposal(this, proposal);
+
+       return &this->public;
+
+}
+
+/*
+ * Described in header.
+ */
+sa_payload_t *sa_payload_create_from_proposals_v1(linked_list_t *proposals,
+                                                               u_int32_t lifetime, u_int64_t lifebytes,
+                                                               auth_method_t auth, ipsec_mode_t mode, bool udp)
+{
+       proposal_substructure_t *substruct;
+       private_sa_payload_t *this;
+
+       this = (private_sa_payload_t*)sa_payload_create(SECURITY_ASSOCIATION);
+
+       /* IKEv1 encodes multiple proposals in a single substructure
+        * TODO-IKEv1: Encode ESP+AH proposals in two different substructs */
+       substruct = proposal_substructure_create_from_proposals(proposals);
+       substruct->set_is_last_proposal(substruct, TRUE);
+       this->proposals->insert_last(this->proposals, substruct);
+       compute_length(this);
+
+       return &this->public;
+}
+
+/*
+ * Described in header.
+ */
+sa_payload_t *sa_payload_create_from_proposal_v1(proposal_t *proposal,
+                                                               u_int32_t lifetime, u_int64_t lifebytes,
+                                                               auth_method_t auth, ipsec_mode_t mode, bool udp)
+{
+       proposal_substructure_t *substruct;
+       private_sa_payload_t *this;
+
+       this = (private_sa_payload_t*)sa_payload_create(SECURITY_ASSOCIATION_V1);
+
+       substruct = proposal_substructure_create_from_proposal(
+                                                                                       PROPOSAL_SUBSTRUCTURE_V1, proposal);
+       substruct->set_is_last_proposal(substruct, TRUE);
+       this->proposals->insert_last(this->proposals, substruct);
+       compute_length(this);
+
+       return &this->public;
+}
index d6c6b60..dfba477 100644 (file)
@@ -28,6 +28,8 @@ typedef struct sa_payload_t sa_payload_t;
 #include <encoding/payloads/payload.h>
 #include <encoding/payloads/proposal_substructure.h>
 #include <utils/linked_list.h>
+#include <kernel/kernel_ipsec.h>
+#include <sa/authenticators/authenticator.h>
 
 /**
  * Class representing an IKEv1 or IKEv2 SA Payload.
@@ -49,6 +51,35 @@ struct sa_payload_t {
        linked_list_t *(*get_proposals) (sa_payload_t *this);
 
        /**
+        * Get the (shortest) lifetime of a proposal (IKEv1 only).
+        *
+        * @return                                      lifetime, in seconds
+        */
+       u_int32_t (*get_lifetime)(sa_payload_t *this);
+
+       /**
+        * Get the (shortest) life duration of a proposal (IKEv1 only).
+        *
+        * @return                                      life duration, in bytes
+        */
+       u_int64_t (*get_lifebytes)(sa_payload_t *this);
+
+       /**
+        * Get the first authentication method from the proposal (IKEv1 only).
+        *
+        * @return                                      auth method, or AUTH_NONE
+        */
+       auth_method_t (*get_auth_method)(sa_payload_t *this);
+
+       /**
+        * Get the (first) encapsulation mode from a proposal (IKEv1 only).
+        *
+        * @param udp                           set to TRUE if UDP encapsulation used
+        * @return                                      ipsec encapsulation mode
+        */
+       ipsec_mode_t (*get_encap_mode)(sa_payload_t *this, bool *udp);
+
+       /**
         * Create an enumerator over all proposal substructures.
         *
         * @return                                      enumerator over proposal_substructure_t
@@ -70,26 +101,49 @@ struct sa_payload_t {
 sa_payload_t *sa_payload_create(payload_type_t type);
 
 /**
- * Creates a sa_payload_t object from a list of proposals.
+ * Creates an IKEv2 sa_payload_t object from a list of proposals.
  *
- * @param type                         SECURITY_ASSOCIATION or SECURITY_ASSOCIATION_V1
  * @param proposals                    list of proposals to build the payload from
  * @return                                     sa_payload_t object
  */
-sa_payload_t *sa_payload_create_from_proposal_list(payload_type_t type,
-                                                                                                  linked_list_t *proposals);
+sa_payload_t *sa_payload_create_from_proposals_v2(linked_list_t *proposals);
+
+/**
+ * Creates an IKEv2 sa_payload_t object from a single proposal.
+ *
+ * @param proposal                     proposal from which the payload should be built.
+ * @return                                     sa_payload_t object
+ */
+sa_payload_t *sa_payload_create_from_proposal_v2(proposal_t *proposal);
 
 /**
- * Creates a sa_payload_t object from a single proposal.
+ * Creates an IKEv1 sa_payload_t object from a list of proposals.
  *
- * This is only for convenience. Use sa_payload_create_from_proposal_list
- * if you want to add more than one proposal.
+ * @param proposals                    list of proposals to build the payload from
+ * @param lifetime                     lifetime in seconds
+ * @param lifebytes                    lifebytes, in bytes
+ * @param auth                         authentication method to use, or AUTH_NONE
+ * @param mode                         IPsec encapsulation mode, TRANSPORT or TUNNEL
+ * @param udp                          TRUE to use UDP encapsulation
+ * @return                                     sa_payload_t object
+ */
+sa_payload_t *sa_payload_create_from_proposals_v1(linked_list_t *proposals,
+                                                       u_int32_t lifetime, u_int64_t lifebytes,
+                                                       auth_method_t auth, ipsec_mode_t mode, bool udp);
+
+/**
+ * Creates an IKEv1 sa_payload_t object from a single proposal.
  *
- * @param type                         SECURITY_ASSOCIATION or SECURITY_ASSOCIATION_V1
  * @param proposal                     proposal from which the payload should be built.
+ * @param lifetime                     lifetime in seconds
+ * @param lifebytes                    lifebytes, in bytes
+ * @param auth                         authentication method to use, or AUTH_NONE
+ * @param mode                         IPsec encapsulation mode, TRANSPORT or TUNNEL
+ * @param udp                          TRUE to use UDP encapsulation
  * @return                                     sa_payload_t object
  */
-sa_payload_t *sa_payload_create_from_proposal(payload_type_t type,
-                                                                                         proposal_t *proposal);
+sa_payload_t *sa_payload_create_from_proposal_v1(proposal_t *proposal,
+                                                       u_int32_t lifetime, u_int64_t lifebytes,
+                                                       auth_method_t auth, ipsec_mode_t mode, bool udp);
 
 #endif /** SA_PAYLOAD_H_ @}*/
index d27e006..a3850bb 100644 (file)
@@ -34,6 +34,12 @@ typedef struct authenticator_t authenticator_t;
  * Method to use for authentication, as defined in IKEv2.
  */
 enum auth_method_t {
+
+       /**
+        * No authentication used.
+        */
+       AUTH_NONE = 0,
+
        /**
         * Computed as specified in section 2.15 of RFC using
         * an RSA private key over a PKCS#1 padded hash.
index e40f34d..79d0821 100644 (file)
@@ -527,13 +527,11 @@ static void build_payloads(private_child_create_t *this, message_t *message)
        /* add SA payload */
        if (this->initiator)
        {
-               sa_payload = sa_payload_create_from_proposal_list(SECURITY_ASSOCIATION,
-                                                                                                                 this->proposals);
+               sa_payload = sa_payload_create_from_proposals_v2(this->proposals);
        }
        else
        {
-               sa_payload = sa_payload_create_from_proposal(SECURITY_ASSOCIATION,
-                                                                                                        this->proposal);
+               sa_payload = sa_payload_create_from_proposal_v2(this->proposal);
        }
        message->add_payload(message, (payload_t*)sa_payload);
 
index 868680b..3b0c4e8 100644 (file)
@@ -133,8 +133,7 @@ static void build_payloads(private_ike_init_t *this, message_t *message)
                        enumerator->destroy(enumerator);
                }
 
-               sa_payload = sa_payload_create_from_proposal_list(SECURITY_ASSOCIATION,
-                                                                                                                 proposal_list);
+               sa_payload = sa_payload_create_from_proposals_v2(proposal_list);
                proposal_list->destroy_offset(proposal_list, offsetof(proposal_t, destroy));
        }
        else
@@ -144,8 +143,7 @@ static void build_payloads(private_ike_init_t *this, message_t *message)
                        /* include SPI of new IKE_SA when we are rekeying */
                        this->proposal->set_spi(this->proposal, id->get_responder_spi(id));
                }
-               sa_payload = sa_payload_create_from_proposal(SECURITY_ASSOCIATION,
-                                                                                                        this->proposal);
+               sa_payload = sa_payload_create_from_proposal_v2(this->proposal);
        }
        message->add_payload(message, (payload_t*)sa_payload);
 
index f592767..12ec5f7 100644 (file)
@@ -299,8 +299,8 @@ METHOD(task_t, build_i, status_t,
 
                        proposals = this->ike_cfg->get_proposals(this->ike_cfg);
 
-                       sa_payload = sa_payload_create_from_proposal_list(
-                                                                                       SECURITY_ASSOCIATION_V1, proposals);
+                       sa_payload = sa_payload_create_from_proposals_v1(proposals,
+                                                               0, 0, AUTH_NONE, MODE_NONE, FALSE);
                        proposals->destroy_offset(proposals, offsetof(proposal_t, destroy));
 
                        message->add_payload(message, &sa_payload->payload_interface);
@@ -573,8 +573,8 @@ METHOD(task_t, build_r, status_t,
                {
                        sa_payload_t *sa_payload;
 
-                       sa_payload = sa_payload_create_from_proposal(SECURITY_ASSOCIATION_V1,
-                                                                                                                this->proposal);
+                       sa_payload = sa_payload_create_from_proposal_v1(this->proposal,
+                                                                                       0, 0, AUTH_NONE, MODE_NONE, FALSE);
                        message->add_payload(message, &sa_payload->payload_interface);
 
                        return NEED_MORE;
index eb9312d..1d5e6b5 100644 (file)
@@ -425,8 +425,8 @@ METHOD(task_t, build_i, status_t,
                        }
                        enumerator->destroy(enumerator);
 
-                       sa_payload = sa_payload_create_from_proposal_list(
-                                                                                               SECURITY_ASSOCIATION_V1, list);
+                       sa_payload = sa_payload_create_from_proposals_v1(list,
+                                                                                       0, 0, AUTH_NONE, MODE_NONE, FALSE);
                        list->destroy_offset(list, offsetof(proposal_t, destroy));
                        message->add_payload(message, &sa_payload->payload_interface);
 
@@ -551,8 +551,8 @@ METHOD(task_t, build_r, status_t,
                        }
                        this->proposal->set_spi(this->proposal, this->spi_r);
 
-                       sa_payload = sa_payload_create_from_proposal(
-                                                                       SECURITY_ASSOCIATION_V1, this->proposal);
+                       sa_payload = sa_payload_create_from_proposal_v1(this->proposal,
+                                                                                       0, 0, AUTH_NONE, MODE_NONE, FALSE);
                        message->add_payload(message, &sa_payload->payload_interface);
 
                        if (!add_nonce(this, &this->nonce_r, message))
index ddb6328..7af76a3 100644 (file)
@@ -43,6 +43,8 @@ typedef struct mark_t mark_t;
  * Mode of an IPsec SA.
  */
 enum ipsec_mode_t {
+       /** not using any encapsulation */
+       MODE_NONE = 0,
        /** transport mode, no inner address */
        MODE_TRANSPORT = 1,
        /** tunnel mode, inner and outer addresses */