proposal->get_protocol(proposal),
proposal->get_spi(proposal));
DBG1(DBG_CFG, "injecting custom proposal: %#P", new_props);
- new = sa_payload_create_from_proposal_list(
- SECURITY_ASSOCIATION, new_props);
+ new = sa_payload_create_from_proposals_v2(new_props);
message->add_payload(message, (payload_t*)new);
new_props->destroy_offset(new_props, offsetof(proposal_t, destroy));
}
if (this->proposal)
{
message->add_payload(message, (payload_t*)
- sa_payload_create_from_proposal(SECURITY_ASSOCIATION,
- this->proposal));
+ sa_payload_create_from_proposal_v2(this->proposal));
}
if (this->tsi)
{
}
enumerator->destroy(enumerator);
}
- sa = sa_payload_create_from_proposal_list(SECURITY_ASSOCIATION, updated);
+ sa = sa_payload_create_from_proposals_v2(updated);
list->destroy_offset(list, offsetof(proposal_t, destroy));
updated->destroy_offset(updated, offsetof(proposal_t, destroy));
message->add_payload(message, (payload_t*)sa);
return this->proposals->create_enumerator(this->proposals);
}
+METHOD(sa_payload_t, get_lifetime, u_int32_t,
+ private_sa_payload_t *this)
+{
+ return 0;
+}
+
+METHOD(sa_payload_t, get_lifebytes, u_int64_t,
+ private_sa_payload_t *this)
+{
+ return 0;
+}
+
+METHOD(sa_payload_t, get_auth_method, auth_method_t,
+ private_sa_payload_t *this)
+{
+ return AUTH_NONE;
+}
+
+METHOD(sa_payload_t, get_encap_mode, ipsec_mode_t,
+ private_sa_payload_t *this, bool *udp)
+{
+ *udp = FALSE;
+ return MODE_NONE;
+}
+
METHOD2(payload_t, sa_payload_t, destroy, void,
private_sa_payload_t *this)
{
},
.get_proposals = _get_proposals,
.create_substructure_enumerator = _create_substructure_enumerator,
+ .get_lifetime = _get_lifetime,
+ .get_lifebytes = _get_lifebytes,
+ .get_auth_method = _get_auth_method,
+ .get_encap_mode = _get_encap_mode,
.destroy = _destroy,
},
.next_payload = NO_PAYLOAD,
return &this->public;
}
+
+/*
+ * Described in header.
+ */
+sa_payload_t *sa_payload_create_from_proposals_v2(linked_list_t *proposals)
+{
+ private_sa_payload_t *this;
+ enumerator_t *enumerator;
+ proposal_t *proposal;
+
+ this = (private_sa_payload_t*)sa_payload_create(SECURITY_ASSOCIATION);
+ enumerator = proposals->create_enumerator(proposals);
+ while (enumerator->enumerate(enumerator, &proposal))
+ {
+ add_proposal(this, proposal);
+ }
+ enumerator->destroy(enumerator);
+
+ return &this->public;
+}
+
+/*
+ * Described in header.
+ */
+sa_payload_t *sa_payload_create_from_proposal_v2(proposal_t *proposal)
+{
+ private_sa_payload_t *this;
+
+ this = (private_sa_payload_t*)sa_payload_create(SECURITY_ASSOCIATION);
+ add_proposal(this, proposal);
+
+ return &this->public;
+
+}
+
+/*
+ * Described in header.
+ */
+sa_payload_t *sa_payload_create_from_proposals_v1(linked_list_t *proposals,
+ u_int32_t lifetime, u_int64_t lifebytes,
+ auth_method_t auth, ipsec_mode_t mode, bool udp)
+{
+ proposal_substructure_t *substruct;
+ private_sa_payload_t *this;
+
+ this = (private_sa_payload_t*)sa_payload_create(SECURITY_ASSOCIATION);
+
+ /* IKEv1 encodes multiple proposals in a single substructure
+ * TODO-IKEv1: Encode ESP+AH proposals in two different substructs */
+ substruct = proposal_substructure_create_from_proposals(proposals);
+ substruct->set_is_last_proposal(substruct, TRUE);
+ this->proposals->insert_last(this->proposals, substruct);
+ compute_length(this);
+
+ return &this->public;
+}
+
+/*
+ * Described in header.
+ */
+sa_payload_t *sa_payload_create_from_proposal_v1(proposal_t *proposal,
+ u_int32_t lifetime, u_int64_t lifebytes,
+ auth_method_t auth, ipsec_mode_t mode, bool udp)
+{
+ proposal_substructure_t *substruct;
+ private_sa_payload_t *this;
+
+ this = (private_sa_payload_t*)sa_payload_create(SECURITY_ASSOCIATION_V1);
+
+ substruct = proposal_substructure_create_from_proposal(
+ PROPOSAL_SUBSTRUCTURE_V1, proposal);
+ substruct->set_is_last_proposal(substruct, TRUE);
+ this->proposals->insert_last(this->proposals, substruct);
+ compute_length(this);
+
+ return &this->public;
+}
#include <encoding/payloads/payload.h>
#include <encoding/payloads/proposal_substructure.h>
#include <utils/linked_list.h>
+#include <kernel/kernel_ipsec.h>
+#include <sa/authenticators/authenticator.h>
/**
* Class representing an IKEv1 or IKEv2 SA Payload.
linked_list_t *(*get_proposals) (sa_payload_t *this);
/**
+ * Get the (shortest) lifetime of a proposal (IKEv1 only).
+ *
+ * @return lifetime, in seconds
+ */
+ u_int32_t (*get_lifetime)(sa_payload_t *this);
+
+ /**
+ * Get the (shortest) life duration of a proposal (IKEv1 only).
+ *
+ * @return life duration, in bytes
+ */
+ u_int64_t (*get_lifebytes)(sa_payload_t *this);
+
+ /**
+ * Get the first authentication method from the proposal (IKEv1 only).
+ *
+ * @return auth method, or AUTH_NONE
+ */
+ auth_method_t (*get_auth_method)(sa_payload_t *this);
+
+ /**
+ * Get the (first) encapsulation mode from a proposal (IKEv1 only).
+ *
+ * @param udp set to TRUE if UDP encapsulation used
+ * @return ipsec encapsulation mode
+ */
+ ipsec_mode_t (*get_encap_mode)(sa_payload_t *this, bool *udp);
+
+ /**
* Create an enumerator over all proposal substructures.
*
* @return enumerator over proposal_substructure_t
sa_payload_t *sa_payload_create(payload_type_t type);
/**
- * Creates a sa_payload_t object from a list of proposals.
+ * Creates an IKEv2 sa_payload_t object from a list of proposals.
*
- * @param type SECURITY_ASSOCIATION or SECURITY_ASSOCIATION_V1
* @param proposals list of proposals to build the payload from
* @return sa_payload_t object
*/
-sa_payload_t *sa_payload_create_from_proposal_list(payload_type_t type,
- linked_list_t *proposals);
+sa_payload_t *sa_payload_create_from_proposals_v2(linked_list_t *proposals);
+
+/**
+ * Creates an IKEv2 sa_payload_t object from a single proposal.
+ *
+ * @param proposal proposal from which the payload should be built.
+ * @return sa_payload_t object
+ */
+sa_payload_t *sa_payload_create_from_proposal_v2(proposal_t *proposal);
/**
- * Creates a sa_payload_t object from a single proposal.
+ * Creates an IKEv1 sa_payload_t object from a list of proposals.
*
- * This is only for convenience. Use sa_payload_create_from_proposal_list
- * if you want to add more than one proposal.
+ * @param proposals list of proposals to build the payload from
+ * @param lifetime lifetime in seconds
+ * @param lifebytes lifebytes, in bytes
+ * @param auth authentication method to use, or AUTH_NONE
+ * @param mode IPsec encapsulation mode, TRANSPORT or TUNNEL
+ * @param udp TRUE to use UDP encapsulation
+ * @return sa_payload_t object
+ */
+sa_payload_t *sa_payload_create_from_proposals_v1(linked_list_t *proposals,
+ u_int32_t lifetime, u_int64_t lifebytes,
+ auth_method_t auth, ipsec_mode_t mode, bool udp);
+
+/**
+ * Creates an IKEv1 sa_payload_t object from a single proposal.
*
- * @param type SECURITY_ASSOCIATION or SECURITY_ASSOCIATION_V1
* @param proposal proposal from which the payload should be built.
+ * @param lifetime lifetime in seconds
+ * @param lifebytes lifebytes, in bytes
+ * @param auth authentication method to use, or AUTH_NONE
+ * @param mode IPsec encapsulation mode, TRANSPORT or TUNNEL
+ * @param udp TRUE to use UDP encapsulation
* @return sa_payload_t object
*/
-sa_payload_t *sa_payload_create_from_proposal(payload_type_t type,
- proposal_t *proposal);
+sa_payload_t *sa_payload_create_from_proposal_v1(proposal_t *proposal,
+ u_int32_t lifetime, u_int64_t lifebytes,
+ auth_method_t auth, ipsec_mode_t mode, bool udp);
#endif /** SA_PAYLOAD_H_ @}*/
* Method to use for authentication, as defined in IKEv2.
*/
enum auth_method_t {
+
+ /**
+ * No authentication used.
+ */
+ AUTH_NONE = 0,
+
/**
* Computed as specified in section 2.15 of RFC using
* an RSA private key over a PKCS#1 padded hash.
/* add SA payload */
if (this->initiator)
{
- sa_payload = sa_payload_create_from_proposal_list(SECURITY_ASSOCIATION,
- this->proposals);
+ sa_payload = sa_payload_create_from_proposals_v2(this->proposals);
}
else
{
- sa_payload = sa_payload_create_from_proposal(SECURITY_ASSOCIATION,
- this->proposal);
+ sa_payload = sa_payload_create_from_proposal_v2(this->proposal);
}
message->add_payload(message, (payload_t*)sa_payload);
enumerator->destroy(enumerator);
}
- sa_payload = sa_payload_create_from_proposal_list(SECURITY_ASSOCIATION,
- proposal_list);
+ sa_payload = sa_payload_create_from_proposals_v2(proposal_list);
proposal_list->destroy_offset(proposal_list, offsetof(proposal_t, destroy));
}
else
/* include SPI of new IKE_SA when we are rekeying */
this->proposal->set_spi(this->proposal, id->get_responder_spi(id));
}
- sa_payload = sa_payload_create_from_proposal(SECURITY_ASSOCIATION,
- this->proposal);
+ sa_payload = sa_payload_create_from_proposal_v2(this->proposal);
}
message->add_payload(message, (payload_t*)sa_payload);
proposals = this->ike_cfg->get_proposals(this->ike_cfg);
- sa_payload = sa_payload_create_from_proposal_list(
- SECURITY_ASSOCIATION_V1, proposals);
+ sa_payload = sa_payload_create_from_proposals_v1(proposals,
+ 0, 0, AUTH_NONE, MODE_NONE, FALSE);
proposals->destroy_offset(proposals, offsetof(proposal_t, destroy));
message->add_payload(message, &sa_payload->payload_interface);
{
sa_payload_t *sa_payload;
- sa_payload = sa_payload_create_from_proposal(SECURITY_ASSOCIATION_V1,
- this->proposal);
+ sa_payload = sa_payload_create_from_proposal_v1(this->proposal,
+ 0, 0, AUTH_NONE, MODE_NONE, FALSE);
message->add_payload(message, &sa_payload->payload_interface);
return NEED_MORE;
}
enumerator->destroy(enumerator);
- sa_payload = sa_payload_create_from_proposal_list(
- SECURITY_ASSOCIATION_V1, list);
+ sa_payload = sa_payload_create_from_proposals_v1(list,
+ 0, 0, AUTH_NONE, MODE_NONE, FALSE);
list->destroy_offset(list, offsetof(proposal_t, destroy));
message->add_payload(message, &sa_payload->payload_interface);
}
this->proposal->set_spi(this->proposal, this->spi_r);
- sa_payload = sa_payload_create_from_proposal(
- SECURITY_ASSOCIATION_V1, this->proposal);
+ sa_payload = sa_payload_create_from_proposal_v1(this->proposal,
+ 0, 0, AUTH_NONE, MODE_NONE, FALSE);
message->add_payload(message, &sa_payload->payload_interface);
if (!add_nonce(this, &this->nonce_r, message))
* Mode of an IPsec SA.
*/
enum ipsec_mode_t {
+ /** not using any encapsulation */
+ MODE_NONE = 0,
/** transport mode, no inner address */
MODE_TRANSPORT = 1,
/** tunnel mode, inner and outer addresses */
projects / strongswan.git / commitdiff