/*
+ * Copyright (C) 2012-2014 Tobias Brunner
* Copyright (C) 2005-2010 Martin Willi
* Copyright (C) 2005 Jan Hutter
- * Hochschule fuer Technik Rapperswil
+ * HSR Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
#include <encoding/payloads/encodings.h>
#include <encoding/payloads/transform_substructure.h>
#include <library.h>
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
#include <daemon.h>
/**
/**
* Next payload type.
*/
- u_int8_t next_payload;
+ uint8_t next_payload;
/**
* reserved byte
*/
- u_int8_t reserved;
+ uint8_t reserved;
/**
* Length of this payload.
*/
- u_int16_t proposal_length;
+ uint16_t proposal_length;
/**
* Proposal number.
*/
- u_int8_t proposal_number;
+ uint8_t proposal_number;
/**
* Protocol ID.
*/
- u_int8_t protocol_id;
+ uint8_t protocol_id;
/**
* SPI size of the following SPI.
*/
- u_int8_t spi_size;
+ uint8_t spi_size;
/**
* Number of transforms.
*/
- u_int8_t transforms_count;
+ uint8_t transforms_count;
/**
* SPI is stored as chunk.
linked_list_t *transforms;
/**
- * Type of this payload, PROPOSAL_SUBSTRUCTURE or PROPOSAL_SUBSTRUCTURE_V1
+ * Type of this payload, PLV2_PROPOSAL_SUBSTRUCTURE or PLV1_PROPOSAL_SUBSTRUCTURE
*/
payload_type_t type;
};
/* SPI is a chunk of variable size*/
{ SPI, offsetof(private_proposal_substructure_t, spi) },
/* Transforms are stored in a transform substructure list */
- { PAYLOAD_LIST + TRANSFORM_SUBSTRUCTURE_V1,
+ { PAYLOAD_LIST + PLV1_TRANSFORM_SUBSTRUCTURE,
offsetof(private_proposal_substructure_t, transforms) },
};
/* SPI is a chunk of variable size*/
{ SPI, offsetof(private_proposal_substructure_t, spi) },
/* Transforms are stored in a transform substructure list */
- { PAYLOAD_LIST + TRANSFORM_SUBSTRUCTURE,
+ { PAYLOAD_LIST + PLV2_TRANSFORM_SUBSTRUCTURE,
offsetof(private_proposal_substructure_t, transforms) },
};
IKEV1_ENCR_CAST_CBC = 6,
IKEV1_ENCR_AES_CBC = 7,
IKEV1_ENCR_CAMELLIA_CBC = 8,
- IKEV1_ENCR_LAST = 9,
+ /* FreeS/WAN proprietary */
+ IKEV1_ENCR_SERPENT_CBC = 65004,
+ IKEV1_ENCR_TWOFISH_CBC = 65005,
} ikev1_encryption_t;
/**
} ikev1_ike_transid_t;
/**
- * IKEv1 Transform ID ESP.
+ * IKEv1 Transform ID ESP encryption algorithm.
*/
typedef enum {
- IKEV1_TRANSID_ESP_DES_IV64 = 1,
- IKEV1_TRANSID_ESP_DES = 2,
- IKEV1_TRANSID_ESP_3DES = 3,
- IKEV1_TRANSID_ESP_RC5 = 4,
- IKEV1_TRANSID_ESP_IDEA = 5,
- IKEV1_TRANSID_ESP_CAST = 6,
- IKEV1_TRANSID_ESP_BLOWFISH = 7,
- IKEV1_TRANSID_ESP_3IDEA = 8,
- IKEV1_TRANSID_ESP_DES_IV32 = 9,
- IKEV1_TRANSID_ESP_RC4 = 10,
- IKEV1_TRANSID_ESP_NULL = 11,
- IKEV1_TRANSID_ESP_AES_CBC = 12,
+ IKEV1_ESP_ENCR_DES_IV64 = 1,
+ IKEV1_ESP_ENCR_DES = 2,
+ IKEV1_ESP_ENCR_3DES = 3,
+ IKEV1_ESP_ENCR_RC5 = 4,
+ IKEV1_ESP_ENCR_IDEA = 5,
+ IKEV1_ESP_ENCR_CAST = 6,
+ IKEV1_ESP_ENCR_BLOWFISH = 7,
+ IKEV1_ESP_ENCR_3IDEA = 8,
+ IKEV1_ESP_ENCR_DES_IV32 = 9,
+ IKEV1_ESP_ENCR_RC4 = 10,
+ IKEV1_ESP_ENCR_NULL = 11,
+ IKEV1_ESP_ENCR_AES_CBC = 12,
+ IKEV1_ESP_ENCR_AES_CTR = 13,
+ IKEV1_ESP_ENCR_AES_CCM_8 = 14,
+ IKEV1_ESP_ENCR_AES_CCM_12 = 15,
+ IKEV1_ESP_ENCR_AES_CCM_16 = 16,
+ IKEV1_ESP_ENCR_AES_GCM_8 = 18,
+ IKEV1_ESP_ENCR_AES_GCM_12 = 19,
+ IKEV1_ESP_ENCR_AES_GCM_16 = 20,
+ IKEV1_ESP_ENCR_SEED_CBC = 21,
+ IKEV1_ESP_ENCR_CAMELLIA = 22,
+ IKEV1_ESP_ENCR_NULL_AUTH_AES_GMAC = 23,
+ /* FreeS/WAN proprietary */
+ IKEV1_ESP_ENCR_SERPENT = 252,
+ IKEV1_ESP_ENCR_TWOFISH = 253,
} ikev1_esp_transid_t;
+/**
+ * IKEv1 Transform ID AH authentication algorithm.
+ */
+typedef enum {
+ IKEV1_AH_HMAC_MD5 = 2,
+ IKEV1_AH_HMAC_SHA = 3,
+ IKEV1_AH_DES_MAC = 4,
+ IKEV1_AH_HMAC_SHA2_256 = 5,
+ IKEV1_AH_HMAC_SHA2_384 = 6,
+ IKEV1_AH_HMAC_SHA2_512 = 7,
+ IKEV1_AH_RIPEMD = 8,
+ IKEV1_AH_AES_XCBC_MAC = 9,
+ IKEV1_AH_RSA = 10,
+ IKEV1_AH_AES_128_GMAC = 11,
+ IKEV1_AH_AES_192_GMAC = 12,
+ IKEV1_AH_AES_256_GMAC = 13,
+} ikev1_ah_transid_t;
+
+/**
+ * IKEv1 authentication algorithm.
+ */
+typedef enum {
+ IKEV1_AUTH_HMAC_MD5 = 1,
+ IKEV1_AUTH_HMAC_SHA = 2,
+ IKEV1_AUTH_DES_MAC = 3,
+ IKEV1_AUTH_KPDK = 4,
+ IKEV1_AUTH_HMAC_SHA2_256 = 5,
+ IKEV1_AUTH_HMAC_SHA2_384 = 6,
+ IKEV1_AUTH_HMAC_SHA2_512 = 7,
+ IKEV1_AUTH_HMAC_RIPEMD = 8,
+ IKEV1_AUTH_AES_XCBC_MAC = 9,
+ IKEV1_AUTH_SIG_RSA = 10,
+ IKEV1_AUTH_AES_128_GMAC = 11,
+ IKEV1_AUTH_AES_192_GMAC = 12,
+ IKEV1_AUTH_AES_256_GMAC = 13,
+} ikev1_auth_algo_t;
+
/**
* IKEv1 ESP Encapsulation mode.
*/
IKEV1_ENCAP_TRANSPORT = 2,
IKEV1_ENCAP_UDP_TUNNEL = 3,
IKEV1_ENCAP_UDP_TRANSPORT = 4,
+ IKEV1_ENCAP_UDP_TUNNEL_DRAFT_00_03 = 61443,
+ IKEV1_ENCAP_UDP_TRANSPORT_DRAFT_00_03 = 61444,
} ikev1_esp_encap_t;
/**
} ikev1_life_type_t;
/**
- * IKEv1 authenticaiton methods
+ * IKEv1 authentication methods
*/
typedef enum {
IKEV1_AUTH_PSK = 1,
IKEV1_AUTH_RSA_SIG = 3,
IKEV1_AUTH_RSA_ENC = 4,
IKEV1_AUTH_RSA_ENC_REV = 5,
+ IKEV1_AUTH_ECDSA_256 = 9,
+ IKEV1_AUTH_ECDSA_384 = 10,
+ IKEV1_AUTH_ECDSA_521 = 11,
+ /* XAuth Modes */
IKEV1_AUTH_XAUTH_INIT_PSK = 65001,
IKEV1_AUTH_XAUTH_RESP_PSK = 65002,
IKEV1_AUTH_XAUTH_INIT_DSS = 65003,
IKEV1_AUTH_XAUTH_RESP_RSA_ENC = 65008,
IKEV1_AUTH_XAUTH_INIT_RSA_ENC_REV = 65009,
IKEV1_AUTH_XAUTH_RESP_RSA_ENC_REV = 65010,
+ /* Hybrid Modes */
+ IKEV1_AUTH_HYBRID_INIT_RSA = 64221,
+ IKEV1_AUTH_HYBRID_RESP_RSA = 64222,
+ IKEV1_AUTH_HYBRID_INIT_DSS = 64223,
+ IKEV1_AUTH_HYBRID_RESP_DSS = 64224,
} ikev1_auth_method_t;
+/**
+ * IKEv1 IPComp transform IDs
+ */
+typedef enum {
+ IKEV1_IPCOMP_OUI = 1,
+ IKEV1_IPCOMP_DEFLATE = 2,
+ IKEV1_IPCOMP_LZS = 3,
+} ikev1_ipcomp_transform_t;
+
METHOD(payload_t, verify, status_t,
private_proposal_substructure_t *this)
{
enumerator_t *enumerator;
payload_t *current;
- if (this->next_payload != NO_PAYLOAD && this->next_payload != 2)
+ if (this->next_payload != PL_NONE && this->next_payload != 2)
{
/* must be 0 or 2 */
DBG1(DBG_ENC, "inconsistent next payload");
switch (this->protocol_id)
{
+ case PROTO_IPCOMP:
+ if (this->spi.len != 2 && this->spi.len != 4)
+ {
+ DBG1(DBG_ENC, "invalid CPI length in IPCOMP proposal");
+ return FAILED;
+ }
+ break;
case PROTO_AH:
case PROTO_ESP:
if (this->spi.len != 4)
{
DBG1(DBG_ENC, "invalid SPI length in %N proposal",
- protocol_id_names, this->protocol_id);
+ protocol_id_names, this->protocol_id);
return FAILED;
}
break;
case PROTO_IKE:
- if (this->spi.len != 0 && this->spi.len != 8)
+ if (this->type == PLV1_PROPOSAL_SUBSTRUCTURE)
{
- DBG1(DBG_ENC, "invalid SPI length in IKE proposal");
- return FAILED;
+ if (this->spi.len <= 16)
+ { /* according to RFC 2409, section 3.5 anything between
+ * 0 and 16 is fine */
+ break;
+ }
}
- break;
+ else if (this->spi.len == 0 || this->spi.len == 8)
+ {
+ break;
+ }
+ DBG1(DBG_ENC, "invalid SPI length in IKE proposal");
+ return FAILED;
default:
break;
}
METHOD(payload_t, get_encoding_rules, int,
private_proposal_substructure_t *this, encoding_rule_t **rules)
{
- if (this->type == PROPOSAL_SUBSTRUCTURE)
+ if (this->type == PLV2_PROPOSAL_SUBSTRUCTURE)
{
*rules = encodings_v2;
return countof(encodings_v2);
}
METHOD(proposal_substructure_t, set_proposal_number, void,
- private_proposal_substructure_t *this,u_int8_t proposal_number)
+ private_proposal_substructure_t *this,uint8_t proposal_number)
{
this->proposal_number = proposal_number;
}
-METHOD(proposal_substructure_t, get_proposal_number, u_int8_t,
+METHOD(proposal_substructure_t, get_proposal_number, uint8_t,
private_proposal_substructure_t *this)
{
return this->proposal_number;
}
METHOD(proposal_substructure_t, set_protocol_id, void,
- private_proposal_substructure_t *this,u_int8_t protocol_id)
+ private_proposal_substructure_t *this,uint8_t protocol_id)
{
this->protocol_id = protocol_id;
}
-METHOD(proposal_substructure_t, get_protocol_id, u_int8_t,
+METHOD(proposal_substructure_t, get_protocol_id, uint8_t,
private_proposal_substructure_t *this)
{
return this->protocol_id;
return this->spi;
}
+METHOD(proposal_substructure_t, get_cpi, bool,
+ private_proposal_substructure_t *this, uint16_t *cpi)
+{
+
+ transform_substructure_t *transform;
+ enumerator_t *enumerator;
+
+ if (this->protocol_id != PROTO_IPCOMP)
+ {
+ return FALSE;
+ }
+
+ enumerator = this->transforms->create_enumerator(this->transforms);
+ while (enumerator->enumerate(enumerator, &transform))
+ {
+ if (transform->get_transform_id(transform) == IKEV1_IPCOMP_DEFLATE)
+ {
+ if (cpi)
+ {
+ *cpi = htons(untoh16(this->spi.ptr + this->spi.len - 2));
+ }
+ enumerator->destroy(enumerator);
+ return TRUE;
+ }
+ }
+ enumerator->destroy(enumerator);
+ return FALSE;
+}
+
/**
* Add a transform to a proposal for IKEv2
*/
{
transform_attribute_t *tattr;
enumerator_t *enumerator;
- u_int16_t key_length = 0;
+ uint16_t key_length = 0;
enumerator = transform->create_attribute_enumerator(transform);
while (enumerator->enumerate(enumerator, &tattr))
* Map IKEv1 to IKEv2 algorithms
*/
typedef struct {
- u_int16_t ikev1;
- u_int16_t ikev2;
+ uint16_t ikev1;
+ uint16_t ikev2;
} algo_map_t;
/**
{ IKEV1_ENCR_CAST_CBC, ENCR_CAST },
{ IKEV1_ENCR_AES_CBC, ENCR_AES_CBC },
{ IKEV1_ENCR_CAMELLIA_CBC, ENCR_CAMELLIA_CBC },
+ { IKEV1_ENCR_SERPENT_CBC, ENCR_SERPENT_CBC },
+ { IKEV1_ENCR_TWOFISH_CBC, ENCR_TWOFISH_CBC },
};
/**
};
/**
- * Get IKEv2 algorithm from IKEv1 identifier
+ * ESP encryption algorithm mapping
+ */
+static algo_map_t map_esp[] = {
+ { IKEV1_ESP_ENCR_DES_IV64, ENCR_DES_IV64 },
+ { IKEV1_ESP_ENCR_DES, ENCR_DES },
+ { IKEV1_ESP_ENCR_3DES, ENCR_3DES },
+ { IKEV1_ESP_ENCR_RC5, ENCR_RC5 },
+ { IKEV1_ESP_ENCR_IDEA, ENCR_IDEA },
+ { IKEV1_ESP_ENCR_CAST, ENCR_CAST },
+ { IKEV1_ESP_ENCR_BLOWFISH, ENCR_BLOWFISH },
+ { IKEV1_ESP_ENCR_3IDEA, ENCR_3IDEA },
+ { IKEV1_ESP_ENCR_DES_IV32, ENCR_DES_IV32 },
+ { IKEV1_ESP_ENCR_NULL, ENCR_NULL },
+ { IKEV1_ESP_ENCR_AES_CBC, ENCR_AES_CBC },
+ { IKEV1_ESP_ENCR_AES_CTR, ENCR_AES_CTR },
+ { IKEV1_ESP_ENCR_AES_CCM_8, ENCR_AES_CCM_ICV8 },
+ { IKEV1_ESP_ENCR_AES_CCM_12, ENCR_AES_CCM_ICV12 },
+ { IKEV1_ESP_ENCR_AES_CCM_16, ENCR_AES_CCM_ICV16 },
+ { IKEV1_ESP_ENCR_AES_GCM_8, ENCR_AES_GCM_ICV8 },
+ { IKEV1_ESP_ENCR_AES_GCM_12, ENCR_AES_GCM_ICV12 },
+ { IKEV1_ESP_ENCR_AES_GCM_16, ENCR_AES_GCM_ICV16 },
+ { IKEV1_ESP_ENCR_CAMELLIA, ENCR_CAMELLIA_CBC },
+ { IKEV1_ESP_ENCR_NULL_AUTH_AES_GMAC, ENCR_NULL_AUTH_AES_GMAC },
+ { IKEV1_ESP_ENCR_SERPENT, ENCR_SERPENT_CBC },
+ { IKEV1_ESP_ENCR_TWOFISH, ENCR_TWOFISH_CBC },
+};
+
+/**
+ * AH authentication algorithm mapping
+ */
+static algo_map_t map_ah[] = {
+ { IKEV1_AH_HMAC_MD5, AUTH_HMAC_MD5_96 },
+ { IKEV1_AH_HMAC_SHA, AUTH_HMAC_SHA1_96 },
+ { IKEV1_AH_DES_MAC, AUTH_DES_MAC },
+ { IKEV1_AH_HMAC_SHA2_256, AUTH_HMAC_SHA2_256_128 },
+ { IKEV1_AH_HMAC_SHA2_384, AUTH_HMAC_SHA2_384_192 },
+ { IKEV1_AH_HMAC_SHA2_512, AUTH_HMAC_SHA2_512_256 },
+ { IKEV1_AH_AES_XCBC_MAC, AUTH_AES_XCBC_96 },
+ { IKEV1_AH_AES_128_GMAC, AUTH_AES_128_GMAC },
+ { IKEV1_AH_AES_192_GMAC, AUTH_AES_192_GMAC },
+ { IKEV1_AH_AES_256_GMAC, AUTH_AES_256_GMAC },
+};
+
+/**
+ * ESP/AH authentication algorithm mapping
+ */
+static algo_map_t map_auth[] = {
+ { IKEV1_AUTH_HMAC_MD5, AUTH_HMAC_MD5_96 },
+ { IKEV1_AUTH_HMAC_SHA, AUTH_HMAC_SHA1_96 },
+ { IKEV1_AUTH_DES_MAC, AUTH_DES_MAC },
+ { IKEV1_AUTH_KPDK, AUTH_KPDK_MD5 },
+ { IKEV1_AUTH_HMAC_SHA2_256, AUTH_HMAC_SHA2_256_128 },
+ { IKEV1_AUTH_HMAC_SHA2_384, AUTH_HMAC_SHA2_384_192 },
+ { IKEV1_AUTH_HMAC_SHA2_512, AUTH_HMAC_SHA2_512_256 },
+ { IKEV1_AUTH_AES_XCBC_MAC, AUTH_AES_XCBC_96 },
+ { IKEV1_AUTH_AES_128_GMAC, AUTH_AES_128_GMAC },
+ { IKEV1_AUTH_AES_192_GMAC, AUTH_AES_192_GMAC },
+ { IKEV1_AUTH_AES_256_GMAC, AUTH_AES_256_GMAC },
+};
+
+/**
+ * Map an IKEv1 to an IKEv2 identifier
*/
-static u_int16_t get_alg_from_ikev1(transform_type_t type, u_int16_t value)
+static uint16_t ikev2_from_ikev1(algo_map_t *map, int count, uint16_t def,
+ uint16_t value)
{
- algo_map_t *map;
- u_int16_t def;
- int i, count;
+ int i;
- switch (type)
- {
- case ENCRYPTION_ALGORITHM:
- map = map_encr;
- count = countof(map_encr);
- def = ENCR_UNDEFINED;
- break;
- case INTEGRITY_ALGORITHM:
- map = map_integ;
- count = countof(map_integ);
- def = AUTH_UNDEFINED;
- break;
- case PSEUDO_RANDOM_FUNCTION:
- map = map_prf;
- count = countof(map_prf);
- def = PRF_UNDEFINED;
- break;
- default:
- return 0;
- }
for (i = 0; i < count; i++)
{
if (map[i].ikev1 == value)
}
/**
- * Get IKEv1 algorithm from IKEv2 identifier
+ * Map an IKEv2 to an IKEv1 identifier
+ */
+static uint16_t ikev1_from_ikev2(algo_map_t *map, int count, uint16_t value)
+{
+ int i;
+
+ for (i = 0; i < count; i++)
+ {
+ if (map[i].ikev2 == value)
+ {
+ return map[i].ikev1;
+ }
+ }
+ return 0;
+}
+
+/**
+ * Get IKEv2 algorithm from IKEv1 identifier
*/
-static u_int16_t get_ikev1_from_alg(transform_type_t type, u_int16_t value)
+static uint16_t get_alg_from_ikev1(transform_type_t type, uint16_t value)
{
- algo_map_t *map;
- int i, count;
+ switch (type)
+ {
+ case ENCRYPTION_ALGORITHM:
+ return ikev2_from_ikev1(map_encr, countof(map_encr),
+ ENCR_UNDEFINED, value);
+ case INTEGRITY_ALGORITHM:
+ return ikev2_from_ikev1(map_integ, countof(map_integ),
+ AUTH_UNDEFINED, value);
+ case PSEUDO_RANDOM_FUNCTION:
+ return ikev2_from_ikev1(map_prf, countof(map_prf),
+ PRF_UNDEFINED, value);
+ default:
+ return 0;
+ }
+}
+/**
+ * Get IKEv1 algorithm from IKEv2 identifier
+ */
+static uint16_t get_ikev1_from_alg(transform_type_t type, uint16_t value)
+{
switch (type)
{
case ENCRYPTION_ALGORITHM:
- map = map_encr;
- count = countof(map_encr);
- break;
+ return ikev1_from_ikev2(map_encr, countof(map_encr), value);
case INTEGRITY_ALGORITHM:
- map = map_integ;
- count = countof(map_integ);
- break;
+ return ikev1_from_ikev2(map_integ, countof(map_integ), value);
case PSEUDO_RANDOM_FUNCTION:
- map = map_prf;
- count = countof(map_prf);
- break;
+ return ikev1_from_ikev2(map_prf, countof(map_prf), value);
default:
return 0;
}
- for (i = 0; i < count; i++)
+}
+
+/**
+ * Get IKEv2 algorithm from IKEv1 ESP/AH transform ID
+ */
+static uint16_t get_alg_from_ikev1_transid(transform_type_t type,
+ uint16_t value)
+{
+ switch (type)
{
- if (map[i].ikev2 == value)
- {
- return map[i].ikev1;
- }
+ case ENCRYPTION_ALGORITHM:
+ return ikev2_from_ikev1(map_esp, countof(map_esp),
+ ENCR_UNDEFINED, value);
+ case INTEGRITY_ALGORITHM:
+ return ikev2_from_ikev1(map_ah, countof(map_ah),
+ AUTH_UNDEFINED, value);
+ default:
+ return 0;
+ }
+}
+
+/**
+ * Get IKEv1 ESP/AH transform ID from IKEv2 identifier
+ */
+static uint16_t get_ikev1_transid_from_alg(transform_type_t type,
+ uint16_t value)
+{
+ switch (type)
+ {
+ case ENCRYPTION_ALGORITHM:
+ return ikev1_from_ikev2(map_esp, countof(map_esp), value);
+ case INTEGRITY_ALGORITHM:
+ return ikev1_from_ikev2(map_ah, countof(map_ah), value);
+ default:
+ return 0;
}
- return 0;
+}
+
+/**
+ * Get IKEv1 authentication algorithm from IKEv2 identifier
+ */
+static uint16_t get_alg_from_ikev1_auth(uint16_t value)
+{
+ return ikev2_from_ikev1(map_auth, countof(map_auth), AUTH_UNDEFINED, value);
+}
+
+/**
+ * Get IKEv1 authentication algorithm from IKEv2 identifier
+ */
+static uint16_t get_ikev1_auth_from_alg(uint16_t value)
+{
+ return ikev1_from_ikev2(map_auth, countof(map_auth), value);
}
/**
* Get IKEv1 authentication attribute from auth_method_t
*/
-static u_int16_t get_ikev1_auth(auth_method_t method)
+static uint16_t get_ikev1_auth(auth_method_t method)
{
switch (method)
{
return IKEV1_AUTH_DSS_SIG;
case AUTH_XAUTH_INIT_PSK:
return IKEV1_AUTH_XAUTH_INIT_PSK;
+ case AUTH_XAUTH_RESP_PSK:
+ return IKEV1_AUTH_XAUTH_RESP_PSK;
case AUTH_XAUTH_INIT_RSA:
return IKEV1_AUTH_XAUTH_INIT_RSA;
- default:
- /* TODO-IKEv1: Handle other XAUTH methods */
- /* TODO-IKEv1: Handle ECDSA methods */
+ case AUTH_XAUTH_RESP_RSA:
+ return IKEV1_AUTH_XAUTH_RESP_RSA;
+ case AUTH_HYBRID_INIT_RSA:
+ return IKEV1_AUTH_HYBRID_INIT_RSA;
+ case AUTH_HYBRID_RESP_RSA:
+ return IKEV1_AUTH_HYBRID_RESP_RSA;
+ case AUTH_ECDSA_256:
+ return IKEV1_AUTH_ECDSA_256;
+ case AUTH_ECDSA_384:
+ return IKEV1_AUTH_ECDSA_384;
+ case AUTH_ECDSA_521:
+ return IKEV1_AUTH_ECDSA_521;
case AUTH_PSK:
+ default:
return IKEV1_AUTH_PSK;
}
}
/**
* Get IKEv1 encapsulation mode
*/
-static u_int16_t get_ikev1_mode(ipsec_mode_t mode, bool udp)
+static uint16_t get_ikev1_mode(ipsec_mode_t mode, encap_t udp)
{
switch (mode)
{
case MODE_TUNNEL:
- return udp ? IKEV1_ENCAP_UDP_TUNNEL : IKEV1_ENCAP_TUNNEL;
+ switch (udp)
+ {
+ case ENCAP_UDP:
+ return IKEV1_ENCAP_UDP_TUNNEL;
+ case ENCAP_UDP_DRAFT_00_03:
+ return IKEV1_ENCAP_UDP_TUNNEL_DRAFT_00_03;
+ default:
+ return IKEV1_ENCAP_TUNNEL;
+ }
case MODE_TRANSPORT:
- return udp ? IKEV1_ENCAP_UDP_TRANSPORT : IKEV1_ENCAP_TRANSPORT;
+ switch (udp)
+ {
+ case ENCAP_UDP:
+ return IKEV1_ENCAP_UDP_TRANSPORT;
+ case ENCAP_UDP_DRAFT_00_03:
+ return IKEV1_ENCAP_UDP_TRANSPORT_DRAFT_00_03;
+ default:
+ return IKEV1_ENCAP_TRANSPORT;
+ }
default:
return IKEV1_ENCAP_TUNNEL;
}
transform_attribute_type_t type;
transform_attribute_t *tattr;
enumerator_t *enumerator;
- u_int16_t value, key_length = 0;
- u_int16_t encr = ENCR_UNDEFINED;
+ uint16_t value, key_length = 0;
+ uint16_t encr = ENCR_UNDEFINED;
enumerator = transform->create_attribute_enumerator(transform);
while (enumerator->enumerate(enumerator, &tattr))
value, 0);
break;
default:
- /* TODO-IKEv1: lifetimes, authentication and other attributes */
break;
}
}
if (encr != ENCR_UNDEFINED)
{
+ if (encr == ENCR_AES_CBC && !key_length)
+ { /* some implementations don't send a Key Length attribute for
+ * AES-128, early drafts of RFC 3602 allowed that */
+ key_length = 128;
+ }
proposal->add_algorithm(proposal, ENCRYPTION_ALGORITHM, encr, key_length);
}
}
/**
- * Add an ESP transform to a proposal for IKEv1
+ * Add an ESP/AH transform to a proposal for IKEv1
*/
-static void add_to_proposal_v1_esp(proposal_t *proposal,
- transform_substructure_t *transform)
+static void add_to_proposal_v1(proposal_t *proposal,
+ transform_substructure_t *transform, protocol_id_t proto)
{
transform_attribute_type_t type;
transform_attribute_t *tattr;
enumerator_t *enumerator;
- u_int16_t value, key_length = 0;
+ uint16_t encr, value, key_length = 0;
+ extended_sequence_numbers_t esn = NO_EXT_SEQ_NUMBERS;
enumerator = transform->create_attribute_enumerator(transform);
while (enumerator->enumerate(enumerator, &tattr))
break;
case TATTR_PH2_AUTH_ALGORITHM:
proposal->add_algorithm(proposal, INTEGRITY_ALGORITHM,
- get_alg_from_ikev1(INTEGRITY_ALGORITHM, value), 0);
+ get_alg_from_ikev1_auth(value), 0);
+ break;
+ case TATTR_PH2_GROUP:
+ proposal->add_algorithm(proposal, DIFFIE_HELLMAN_GROUP,
+ value, 0);
+ break;
+ case TATTR_PH2_EXT_SEQ_NUMBER:
+ esn = EXT_SEQ_NUMBERS;
break;
default:
- /* TODO-IKEv1: lifetimes other attributes */
break;
}
}
enumerator->destroy(enumerator);
- /* TODO-IKEv1: handle ESN attribute */
- proposal->add_algorithm(proposal, EXTENDED_SEQUENCE_NUMBERS,
- NO_EXT_SEQ_NUMBERS, 0);
-
- proposal->add_algorithm(proposal, ENCRYPTION_ALGORITHM,
- transform->get_transform_id(transform), key_length);
+ proposal->add_algorithm(proposal, EXTENDED_SEQUENCE_NUMBERS, esn, 0);
+ if (proto == PROTO_ESP)
+ {
+ encr = get_alg_from_ikev1_transid(ENCRYPTION_ALGORITHM,
+ transform->get_transform_id(transform));
+ if (encr)
+ {
+ if (encr == ENCR_AES_CBC && !key_length)
+ { /* some implementations don't send a Key Length attribute for
+ * AES-128, early drafts of RFC 3602 allowed that for IKE, some
+ * also seem to do it for ESP */
+ key_length = 128;
+ }
+ proposal->add_algorithm(proposal, ENCRYPTION_ALGORITHM, encr,
+ key_length);
+ }
+ }
}
METHOD(proposal_substructure_t, get_proposals, void,
transform_substructure_t *transform;
enumerator_t *enumerator;
proposal_t *proposal = NULL;
- u_int64_t spi = 0;
+ uint64_t spi = 0;
switch (this->spi.len)
{
case 4:
- spi = *((u_int32_t*)this->spi.ptr);
+ spi = *((uint32_t*)this->spi.ptr);
break;
case 8:
- spi = *((u_int64_t*)this->spi.ptr);
+ spi = *((uint64_t*)this->spi.ptr);
break;
default:
break;
proposal->set_spi(proposal, spi);
proposals->insert_last(proposals, proposal);
}
- if (this->type == PROPOSAL_SUBSTRUCTURE)
+ if (this->type == PLV2_PROPOSAL_SUBSTRUCTURE)
{
add_to_proposal_v2(proposal, transform);
}
add_to_proposal_v1_ike(proposal, transform);
break;
case PROTO_ESP:
- add_to_proposal_v1_esp(proposal, transform);
+ case PROTO_AH:
+ add_to_proposal_v1(proposal, transform, this->protocol_id);
break;
default:
break;
}
/**
- * Get an attribute from a selected transform
+ * Get an attribute from any transform, 0 if not found
*/
-static u_int64_t get_attr_tfrm(transform_substructure_t *transform,
- transform_attribute_type_t type)
+static uint64_t get_attr(private_proposal_substructure_t *this,
+ transform_attribute_type_t type)
{
- enumerator_t *enumerator;
+ enumerator_t *transforms, *attributes;
+ transform_substructure_t *transform;
transform_attribute_t *attr;
- u_int64_t value = 0;
- enumerator = transform->create_attribute_enumerator(transform);
- while (enumerator->enumerate(enumerator, &attr))
+ transforms = this->transforms->create_enumerator(this->transforms);
+ while (transforms->enumerate(transforms, &transform))
{
- if (attr->get_attribute_type(attr) == type)
+ attributes = transform->create_attribute_enumerator(transform);
+ while (attributes->enumerate(attributes, &attr))
{
- value = attr->get_value(attr);
- break;
+ if (attr->get_attribute_type(attr) == type)
+ {
+ attributes->destroy(attributes);
+ transforms->destroy(transforms);
+ return attr->get_value(attr);
+ }
}
+ attributes->destroy(attributes);
}
- enumerator->destroy(enumerator);
- return value;
+ transforms->destroy(transforms);
+ return 0;
}
-
/**
- * Get an attribute from any transform, 0 if not found
+ * Look up a lifetime duration of a given kind in all transforms
*/
-static u_int64_t get_attr(private_proposal_substructure_t *this,
- transform_attribute_type_t type, transform_substructure_t **sel)
+static uint64_t get_life_duration(private_proposal_substructure_t *this,
+ transform_attribute_type_t type_attr, ikev1_life_type_t type,
+ transform_attribute_type_t dur_attr)
{
+ enumerator_t *transforms, *attributes;
transform_substructure_t *transform;
- enumerator_t *enumerator;
- u_int64_t value = 0;
+ transform_attribute_t *attr;
- enumerator = this->transforms->create_enumerator(this->transforms);
- while (enumerator->enumerate(enumerator, &transform))
+ transforms = this->transforms->create_enumerator(this->transforms);
+ while (transforms->enumerate(transforms, &transform))
{
- value = get_attr_tfrm(transform, type);
- if (value)
+ attributes = transform->create_attribute_enumerator(transform);
+ while (attributes->enumerate(attributes, &attr))
{
- if (sel)
- {
- *sel = transform;
+ if (attr->get_attribute_type(attr) == type_attr &&
+ attr->get_value(attr) == type)
+ { /* got type attribute, look for duration following next */
+ while (attributes->enumerate(attributes, &attr))
+ {
+ if (attr->get_attribute_type(attr) == dur_attr)
+ {
+ attributes->destroy(attributes);
+ transforms->destroy(transforms);
+ return attr->get_value(attr);
+ }
+ }
}
- break;
}
+ attributes->destroy(attributes);
}
- enumerator->destroy(enumerator);
- return value;
+ transforms->destroy(transforms);
+ return 0;
}
-METHOD(proposal_substructure_t, get_lifetime, u_int32_t,
+METHOD(proposal_substructure_t, get_lifetime, uint32_t,
private_proposal_substructure_t *this)
{
- transform_substructure_t *transform;
- transform_attribute_type_t type;
+ uint32_t duration;
switch (this->protocol_id)
{
case PROTO_IKE:
- type = get_attr(this, TATTR_PH1_LIFE_TYPE, &transform);
- if (type == IKEV1_LIFE_TYPE_SECONDS)
- {
- return get_attr_tfrm(transform, TATTR_PH1_LIFE_DURATION);
- }
- break;
+ return get_life_duration(this, TATTR_PH1_LIFE_TYPE,
+ IKEV1_LIFE_TYPE_SECONDS, TATTR_PH1_LIFE_DURATION);
case PROTO_ESP:
- type = get_attr(this, TATTR_PH2_SA_LIFE_TYPE, &transform);
- if (type == IKEV1_LIFE_TYPE_SECONDS)
- {
- return get_attr_tfrm(transform, TATTR_PH2_SA_LIFE_DURATION);
- }
- else if (type != IKEV1_LIFE_TYPE_KILOBYTES)
+ case PROTO_AH:
+ duration = get_life_duration(this, TATTR_PH2_SA_LIFE_TYPE,
+ IKEV1_LIFE_TYPE_SECONDS, TATTR_PH2_SA_LIFE_DURATION);
+ if (!duration)
{ /* default to 8 hours, RFC 2407 */
return 28800;
}
- break;
+ return duration;
default:
- break;
+ return 0;
}
- return 0;
}
-METHOD(proposal_substructure_t, get_lifebytes, u_int64_t,
+METHOD(proposal_substructure_t, get_lifebytes, uint64_t,
private_proposal_substructure_t *this)
{
- transform_substructure_t *transform;
- transform_attribute_type_t type;
-
switch (this->protocol_id)
{
- case PROTO_IKE:
- type = get_attr(this, TATTR_PH1_LIFE_TYPE, &transform);
- if (type == IKEV1_LIFE_TYPE_KILOBYTES)
- {
- return get_attr_tfrm(transform, TATTR_PH1_LIFE_DURATION);
- }
- break;
case PROTO_ESP:
- type = get_attr(this, TATTR_PH2_SA_LIFE_TYPE, &transform);
- if (type == IKEV1_LIFE_TYPE_KILOBYTES)
- {
- return get_attr_tfrm(transform, TATTR_PH1_LIFE_DURATION);
- }
- break;
+ case PROTO_AH:
+ return 1000 * get_life_duration(this, TATTR_PH2_SA_LIFE_TYPE,
+ IKEV1_LIFE_TYPE_KILOBYTES, TATTR_PH2_SA_LIFE_DURATION);
+ case PROTO_IKE:
default:
- break;
+ return 0;
}
- return 0;
-
}
METHOD(proposal_substructure_t, get_auth_method, auth_method_t,
private_proposal_substructure_t *this)
{
- switch (get_attr(this, TATTR_PH1_AUTH_METHOD, NULL))
+ switch (get_attr(this, TATTR_PH1_AUTH_METHOD))
{
case IKEV1_AUTH_PSK:
return AUTH_PSK;
return AUTH_DSS;
case IKEV1_AUTH_XAUTH_INIT_PSK:
return AUTH_XAUTH_INIT_PSK;
+ case IKEV1_AUTH_XAUTH_RESP_PSK:
+ return AUTH_XAUTH_RESP_PSK;
case IKEV1_AUTH_XAUTH_INIT_RSA:
return AUTH_XAUTH_INIT_RSA;
+ case IKEV1_AUTH_XAUTH_RESP_RSA:
+ return AUTH_XAUTH_RESP_RSA;
+ case IKEV1_AUTH_HYBRID_INIT_RSA:
+ return AUTH_HYBRID_INIT_RSA;
+ case IKEV1_AUTH_HYBRID_RESP_RSA:
+ return AUTH_HYBRID_RESP_RSA;
+ case IKEV1_AUTH_ECDSA_256:
+ return AUTH_ECDSA_256;
+ case IKEV1_AUTH_ECDSA_384:
+ return AUTH_ECDSA_384;
+ case IKEV1_AUTH_ECDSA_521:
+ return AUTH_ECDSA_521;
default:
- /* TODO-IKEv1: other XAUTH, ECDSA sigs */
return AUTH_NONE;
}
}
private_proposal_substructure_t *this, bool *udp)
{
*udp = FALSE;
- switch (get_attr(this, TATTR_PH2_ENCAP_MODE, NULL))
+ switch (get_attr(this, TATTR_PH2_ENCAP_MODE))
{
case IKEV1_ENCAP_TRANSPORT:
return MODE_TRANSPORT;
case IKEV1_ENCAP_TUNNEL:
- return MODE_TRANSPORT;
+ return MODE_TUNNEL;
case IKEV1_ENCAP_UDP_TRANSPORT:
+ case IKEV1_ENCAP_UDP_TRANSPORT_DRAFT_00_03:
*udp = TRUE;
return MODE_TRANSPORT;
case IKEV1_ENCAP_UDP_TUNNEL:
+ case IKEV1_ENCAP_UDP_TUNNEL_DRAFT_00_03:
*udp = TRUE;
return MODE_TUNNEL;
default:
.create_substructure_enumerator = _create_substructure_enumerator,
.set_spi = _set_spi,
.get_spi = _get_spi,
+ .get_cpi = _get_cpi,
.get_lifetime = _get_lifetime,
.get_lifebytes = _get_lifebytes,
.get_auth_method = _get_auth_method,
.get_encap_mode = _get_encap_mode,
.destroy = _destroy,
},
- .next_payload = NO_PAYLOAD,
+ .next_payload = PL_NONE,
.transforms = linked_list_create(),
.type = type,
);
* Add an IKEv1 IKE proposal to the substructure
*/
static void set_from_proposal_v1_ike(private_proposal_substructure_t *this,
- proposal_t *proposal, u_int32_t lifetime,
+ proposal_t *proposal, uint32_t lifetime,
auth_method_t method, int number)
{
transform_substructure_t *transform;
- u_int16_t alg, key_size;
+ uint16_t alg, key_size;
enumerator_t *enumerator;
- transform = transform_substructure_create_type(TRANSFORM_SUBSTRUCTURE_V1,
+ transform = transform_substructure_create_type(PLV1_TRANSFORM_SUBSTRUCTURE,
number, IKEV1_TRANSID_KEY_IKE);
enumerator = proposal->create_enumerator(proposal, ENCRYPTION_ALGORITHM);
- if (enumerator->enumerate(enumerator, &alg, &key_size))
+ while (enumerator->enumerate(enumerator, &alg, &key_size))
{
alg = get_ikev1_from_alg(ENCRYPTION_ALGORITHM, alg);
if (alg)
{
transform->add_transform_attribute(transform,
- transform_attribute_create_value(TRANSFORM_ATTRIBUTE_V1,
+ transform_attribute_create_value(PLV1_TRANSFORM_ATTRIBUTE,
TATTR_PH1_ENCRYPTION_ALGORITHM, alg));
if (key_size)
{
transform->add_transform_attribute(transform,
- transform_attribute_create_value(TRANSFORM_ATTRIBUTE_V1,
+ transform_attribute_create_value(PLV1_TRANSFORM_ATTRIBUTE,
TATTR_PH1_KEY_LENGTH, key_size));
}
+ break;
}
}
enumerator->destroy(enumerator);
/* encode the integrity algorithm as hash and assume use the same PRF */
enumerator = proposal->create_enumerator(proposal, INTEGRITY_ALGORITHM);
- if (enumerator->enumerate(enumerator, &alg, &key_size))
+ while (enumerator->enumerate(enumerator, &alg, &key_size))
{
alg = get_ikev1_from_alg(INTEGRITY_ALGORITHM, alg);
if (alg)
{
transform->add_transform_attribute(transform,
- transform_attribute_create_value(TRANSFORM_ATTRIBUTE_V1,
+ transform_attribute_create_value(PLV1_TRANSFORM_ATTRIBUTE,
TATTR_PH1_HASH_ALGORITHM, alg));
+ break;
}
}
enumerator->destroy(enumerator);
if (enumerator->enumerate(enumerator, &alg, &key_size))
{
transform->add_transform_attribute(transform,
- transform_attribute_create_value(TRANSFORM_ATTRIBUTE_V1,
+ transform_attribute_create_value(PLV1_TRANSFORM_ATTRIBUTE,
TATTR_PH1_GROUP, alg));
}
enumerator->destroy(enumerator);
transform->add_transform_attribute(transform,
- transform_attribute_create_value(TRANSFORM_ATTRIBUTE_V1,
+ transform_attribute_create_value(PLV1_TRANSFORM_ATTRIBUTE,
TATTR_PH1_AUTH_METHOD, get_ikev1_auth(method)));
transform->add_transform_attribute(transform,
- transform_attribute_create_value(TRANSFORM_ATTRIBUTE_V1,
+ transform_attribute_create_value(PLV1_TRANSFORM_ATTRIBUTE,
TATTR_PH1_LIFE_TYPE, IKEV1_LIFE_TYPE_SECONDS));
transform->add_transform_attribute(transform,
- transform_attribute_create_value(TRANSFORM_ATTRIBUTE_V1,
+ transform_attribute_create_value(PLV1_TRANSFORM_ATTRIBUTE,
TATTR_PH1_LIFE_DURATION, lifetime));
add_transform_substructure(this, transform);
}
/**
- * Add an IKEv1 ESP proposal to the substructure
+ * Add an IKEv1 ESP/AH proposal to the substructure
*/
-static void set_from_proposal_v1_esp(private_proposal_substructure_t *this,
- proposal_t *proposal, u_int32_t lifetime, u_int64_t lifebytes,
- ipsec_mode_t mode, bool udp, int number)
+static void set_from_proposal_v1(private_proposal_substructure_t *this,
+ proposal_t *proposal, uint32_t lifetime, uint64_t lifebytes,
+ ipsec_mode_t mode, encap_t udp, int number)
{
transform_substructure_t *transform = NULL;
- u_int16_t alg, key_size;
+ uint16_t alg, transid, key_size;
enumerator_t *enumerator;
enumerator = proposal->create_enumerator(proposal, ENCRYPTION_ALGORITHM);
if (enumerator->enumerate(enumerator, &alg, &key_size))
{
- transform = transform_substructure_create_type(TRANSFORM_SUBSTRUCTURE_V1,
- number, alg);
- if (key_size)
+ transid = get_ikev1_transid_from_alg(ENCRYPTION_ALGORITHM, alg);
+ if (transid)
{
- transform->add_transform_attribute(transform,
- transform_attribute_create_value(TRANSFORM_ATTRIBUTE_V1,
- TATTR_PH2_KEY_LENGTH, key_size));
+ transform = transform_substructure_create_type(
+ PLV1_TRANSFORM_SUBSTRUCTURE, number, transid);
+ if (key_size)
+ {
+ transform->add_transform_attribute(transform,
+ transform_attribute_create_value(PLV1_TRANSFORM_ATTRIBUTE,
+ TATTR_PH2_KEY_LENGTH, key_size));
+ }
}
}
enumerator->destroy(enumerator);
- if (!transform)
- {
- return;
- }
enumerator = proposal->create_enumerator(proposal, INTEGRITY_ALGORITHM);
if (enumerator->enumerate(enumerator, &alg, &key_size))
{
- alg = get_ikev1_from_alg(INTEGRITY_ALGORITHM, alg);
+ transid = get_ikev1_transid_from_alg(INTEGRITY_ALGORITHM, alg);
+ alg = get_ikev1_auth_from_alg(alg);
if (alg)
{
- transform->add_transform_attribute(transform,
- transform_attribute_create_value(TRANSFORM_ATTRIBUTE_V1,
- TATTR_PH2_AUTH_ALGORITHM, alg));
+ if (!transform && transid)
+ {
+ transform = transform_substructure_create_type(
+ PLV1_TRANSFORM_SUBSTRUCTURE, number, transid);
+ }
+ if (transform)
+ {
+ transform->add_transform_attribute(transform,
+ transform_attribute_create_value(PLV1_TRANSFORM_ATTRIBUTE,
+ TATTR_PH2_AUTH_ALGORITHM, alg));
+ }
}
}
enumerator->destroy(enumerator);
+ if (!transform)
+ {
+ return;
+ }
+
+ enumerator = proposal->create_enumerator(proposal, DIFFIE_HELLMAN_GROUP);
+ if (enumerator->enumerate(enumerator, &alg, &key_size))
+ {
+ transform->add_transform_attribute(transform,
+ transform_attribute_create_value(PLV1_TRANSFORM_ATTRIBUTE,
+ TATTR_PH2_GROUP, alg));
+ }
+ enumerator->destroy(enumerator);
+
transform->add_transform_attribute(transform,
- transform_attribute_create_value(TRANSFORM_ATTRIBUTE_V1,
+ transform_attribute_create_value(PLV1_TRANSFORM_ATTRIBUTE,
TATTR_PH2_ENCAP_MODE, get_ikev1_mode(mode, udp)));
if (lifetime)
{
transform->add_transform_attribute(transform,
- transform_attribute_create_value(TRANSFORM_ATTRIBUTE_V1,
+ transform_attribute_create_value(PLV1_TRANSFORM_ATTRIBUTE,
TATTR_PH2_SA_LIFE_TYPE, IKEV1_LIFE_TYPE_SECONDS));
transform->add_transform_attribute(transform,
- transform_attribute_create_value(TRANSFORM_ATTRIBUTE_V1,
+ transform_attribute_create_value(PLV1_TRANSFORM_ATTRIBUTE,
TATTR_PH2_SA_LIFE_DURATION, lifetime));
}
- else if (lifebytes)
+ if (lifebytes)
{
transform->add_transform_attribute(transform,
- transform_attribute_create_value(TRANSFORM_ATTRIBUTE_V1,
+ transform_attribute_create_value(PLV1_TRANSFORM_ATTRIBUTE,
TATTR_PH2_SA_LIFE_TYPE, IKEV1_LIFE_TYPE_KILOBYTES));
transform->add_transform_attribute(transform,
- transform_attribute_create_value(TRANSFORM_ATTRIBUTE_V1,
+ transform_attribute_create_value(PLV1_TRANSFORM_ATTRIBUTE,
TATTR_PH2_SA_LIFE_DURATION, lifebytes / 1000));
}
+ enumerator = proposal->create_enumerator(proposal,
+ EXTENDED_SEQUENCE_NUMBERS);
+ while (enumerator->enumerate(enumerator, &alg, NULL))
+ {
+ if (alg == EXT_SEQ_NUMBERS)
+ {
+ transform->add_transform_attribute(transform,
+ transform_attribute_create_value(PLV1_TRANSFORM_ATTRIBUTE,
+ TATTR_PH2_EXT_SEQ_NUMBER, alg));
+ }
+ }
+ enumerator->destroy(enumerator);
add_transform_substructure(this, transform);
}
proposal_t *proposal)
{
transform_substructure_t *transform;
- u_int16_t alg, key_size;
+ uint16_t alg, key_size;
enumerator_t *enumerator;
/* encryption algorithm is only available in ESP */
enumerator = proposal->create_enumerator(proposal, ENCRYPTION_ALGORITHM);
while (enumerator->enumerate(enumerator, &alg, &key_size))
{
- transform = transform_substructure_create_type(TRANSFORM_SUBSTRUCTURE,
+ transform = transform_substructure_create_type(PLV2_TRANSFORM_SUBSTRUCTURE,
ENCRYPTION_ALGORITHM, alg);
if (key_size)
{
transform->add_transform_attribute(transform,
- transform_attribute_create_value(TRANSFORM_ATTRIBUTE,
+ transform_attribute_create_value(PLV2_TRANSFORM_ATTRIBUTE,
TATTR_IKEV2_KEY_LENGTH, key_size));
}
add_transform_substructure(this, transform);
enumerator = proposal->create_enumerator(proposal, INTEGRITY_ALGORITHM);
while (enumerator->enumerate(enumerator, &alg, &key_size))
{
- transform = transform_substructure_create_type(TRANSFORM_SUBSTRUCTURE,
+ transform = transform_substructure_create_type(PLV2_TRANSFORM_SUBSTRUCTURE,
INTEGRITY_ALGORITHM, alg);
add_transform_substructure(this, transform);
}
enumerator = proposal->create_enumerator(proposal, PSEUDO_RANDOM_FUNCTION);
while (enumerator->enumerate(enumerator, &alg, &key_size))
{
- transform = transform_substructure_create_type(TRANSFORM_SUBSTRUCTURE,
+ transform = transform_substructure_create_type(PLV2_TRANSFORM_SUBSTRUCTURE,
PSEUDO_RANDOM_FUNCTION, alg);
add_transform_substructure(this, transform);
}
enumerator = proposal->create_enumerator(proposal, DIFFIE_HELLMAN_GROUP);
while (enumerator->enumerate(enumerator, &alg, NULL))
{
- transform = transform_substructure_create_type(TRANSFORM_SUBSTRUCTURE,
+ transform = transform_substructure_create_type(PLV2_TRANSFORM_SUBSTRUCTURE,
DIFFIE_HELLMAN_GROUP, alg);
add_transform_substructure(this, transform);
}
enumerator = proposal->create_enumerator(proposal, EXTENDED_SEQUENCE_NUMBERS);
while (enumerator->enumerate(enumerator, &alg, NULL))
{
- transform = transform_substructure_create_type(TRANSFORM_SUBSTRUCTURE,
+ transform = transform_substructure_create_type(PLV2_TRANSFORM_SUBSTRUCTURE,
EXTENDED_SEQUENCE_NUMBERS, alg);
add_transform_substructure(this, transform);
}
*/
static void set_data(private_proposal_substructure_t *this, proposal_t *proposal)
{
- u_int64_t spi64;
- u_int32_t spi32;
+ uint64_t spi64;
+ uint32_t spi32;
/* add SPI, if necessary */
switch (proposal->get_protocol(proposal))
private_proposal_substructure_t *this;
this = (private_proposal_substructure_t*)
- proposal_substructure_create(SECURITY_ASSOCIATION);
+ proposal_substructure_create(PLV2_PROPOSAL_SUBSTRUCTURE);
set_from_proposal_v2(this, proposal);
set_data(this, proposal);
* See header.
*/
proposal_substructure_t *proposal_substructure_create_from_proposal_v1(
- proposal_t *proposal, u_int32_t lifetime, u_int64_t lifebytes,
- auth_method_t auth, ipsec_mode_t mode, bool udp)
+ proposal_t *proposal, uint32_t lifetime, uint64_t lifebytes,
+ auth_method_t auth, ipsec_mode_t mode, encap_t udp)
{
private_proposal_substructure_t *this;
this = (private_proposal_substructure_t*)
- proposal_substructure_create(PROPOSAL_SUBSTRUCTURE_V1);
+ proposal_substructure_create(PLV1_PROPOSAL_SUBSTRUCTURE);
switch (proposal->get_protocol(proposal))
{
case PROTO_IKE:
- set_from_proposal_v1_ike(this, proposal, lifetime, auth, 0);
+ set_from_proposal_v1_ike(this, proposal, lifetime, auth, 1);
break;
case PROTO_ESP:
- set_from_proposal_v1_esp(this, proposal, lifetime,
- lifebytes, mode, udp, 0);
+ case PROTO_AH:
+ set_from_proposal_v1(this, proposal, lifetime,
+ lifebytes, mode, udp, 1);
break;
default:
break;
* See header.
*/
proposal_substructure_t *proposal_substructure_create_from_proposals_v1(
- linked_list_t *proposals, u_int32_t lifetime, u_int64_t lifebytes,
- auth_method_t auth, ipsec_mode_t mode, bool udp)
+ linked_list_t *proposals, uint32_t lifetime, uint64_t lifebytes,
+ auth_method_t auth, ipsec_mode_t mode, encap_t udp)
{
private_proposal_substructure_t *this = NULL;
enumerator_t *enumerator;
this = (private_proposal_substructure_t*)
proposal_substructure_create_from_proposal_v1(
proposal, lifetime, lifebytes, auth, mode, udp);
+ ++number;
}
else
{
auth, ++number);
break;
case PROTO_ESP:
- set_from_proposal_v1_esp(this, proposal, lifetime,
- lifebytes, mode, udp, ++number);
+ case PROTO_AH:
+ set_from_proposal_v1(this, proposal, lifetime,
+ lifebytes, mode, udp, ++number);
break;
default:
break;
return &this->public;
}
+
+/**
+ * See header.
+ */
+proposal_substructure_t *proposal_substructure_create_for_ipcomp_v1(
+ uint32_t lifetime, uint64_t lifebytes, uint16_t cpi,
+ ipsec_mode_t mode, encap_t udp, uint8_t proposal_number)
+{
+ private_proposal_substructure_t *this;
+ transform_substructure_t *transform;
+
+
+ this = (private_proposal_substructure_t*)
+ proposal_substructure_create(PLV1_PROPOSAL_SUBSTRUCTURE);
+
+ /* we currently support DEFLATE only */
+ transform = transform_substructure_create_type(PLV1_TRANSFORM_SUBSTRUCTURE,
+ 1, IKEV1_IPCOMP_DEFLATE);
+
+ transform->add_transform_attribute(transform,
+ transform_attribute_create_value(PLV1_TRANSFORM_ATTRIBUTE,
+ TATTR_PH2_ENCAP_MODE, get_ikev1_mode(mode, udp)));
+ if (lifetime)
+ {
+ transform->add_transform_attribute(transform,
+ transform_attribute_create_value(PLV1_TRANSFORM_ATTRIBUTE,
+ TATTR_PH2_SA_LIFE_TYPE, IKEV1_LIFE_TYPE_SECONDS));
+ transform->add_transform_attribute(transform,
+ transform_attribute_create_value(PLV1_TRANSFORM_ATTRIBUTE,
+ TATTR_PH2_SA_LIFE_DURATION, lifetime));
+ }
+ if (lifebytes)
+ {
+ transform->add_transform_attribute(transform,
+ transform_attribute_create_value(PLV1_TRANSFORM_ATTRIBUTE,
+ TATTR_PH2_SA_LIFE_TYPE, IKEV1_LIFE_TYPE_KILOBYTES));
+ transform->add_transform_attribute(transform,
+ transform_attribute_create_value(PLV1_TRANSFORM_ATTRIBUTE,
+ TATTR_PH2_SA_LIFE_DURATION, lifebytes / 1000));
+ }
+
+ add_transform_substructure(this, transform);
+
+ this->spi = chunk_clone(chunk_from_thing(cpi));
+ this->spi_size = this->spi.len;
+ this->protocol_id = PROTO_IPCOMP;
+ this->proposal_number = proposal_number;
+
+ compute_length(this);
+
+ return &this->public;
+}