From: Tobias Brunner <tobias@strongswan.org>
Date: Tue, 15 Nov 2011 15:13:50 +0000 (+0100)
Subject: Message rules for IKEv1 ID_PROT exchange added.
X-Git-Tag: 5.0.0~338^2~9^2~516
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=6ba70ba8dd2ffcd28fc1aeaf106f8561ef947634;p=thirdparty%2Fstrongswan.git

Message rules for IKEv1 ID_PROT exchange added.

These rules are quite broad and cover main mode with at least PSK and
signature based authentication.
---

diff --git a/src/libcharon/encoding/message.c b/src/libcharon/encoding/message.c
index fa724e4b1c..eab3427a15 100644
--- a/src/libcharon/encoding/message.c
+++ b/src/libcharon/encoding/message.c
@@ -414,6 +414,72 @@ static payload_order_t me_connect_r_order[] = {
 };
 #endif /* ME */
 
+#ifdef USE_IKEV1
+/**
+ * Message rule for ID_PROT from initiator.
+ */
+static payload_rule_t id_prot_i_rules[] = {
+/*	payload type				min	max						encr	suff */
+	{NOTIFICATION_V1,			0,	MAX_NOTIFY_PAYLOADS,	FALSE,	FALSE},
+	{SECURITY_ASSOCIATION_V1,	0,	1,						FALSE,	FALSE},
+	{KEY_EXCHANGE_V1,			0,	1,						FALSE,	FALSE},
+	{NONCE_V1,					0,	1,						FALSE,	FALSE},
+	{VENDOR_ID_V1,				0,	MAX_VID_PAYLOADS,		FALSE,	FALSE},
+	{ID_V1,						0,	1,						TRUE,	FALSE},
+	{CERTIFICATE_V1,			0,	1,						TRUE,	FALSE},
+	{SIGNATURE_V1,				0,	1,						TRUE,	FALSE},
+	{HASH_V1,					0,	1,						TRUE,	FALSE},
+};
+
+/**
+ * payload order for ID_PROT from initiator.
+ */
+static payload_order_t id_prot_i_order[] = {
+/*	payload type				notify type */
+	{SECURITY_ASSOCIATION_V1,	0},
+	{KEY_EXCHANGE_V1,			0},
+	{NONCE_V1,					0},
+	{ID_V1,						0},
+	{CERTIFICATE_V1,			0},
+	{SIGNATURE_V1,				0},
+	{HASH_V1,					0},
+	{NOTIFICATION_V1,			0},
+	{VENDOR_ID_V1,				0},
+};
+
+/**
+ * Message rule for ID_PROT from responder.
+ */
+static payload_rule_t id_prot_r_rules[] = {
+/*	payload type				min	max						encr	suff */
+	{NOTIFICATION_V1,			0,	MAX_NOTIFY_PAYLOADS,	FALSE,	FALSE},
+	{SECURITY_ASSOCIATION_V1,	0,	1,						FALSE,	FALSE},
+	{KEY_EXCHANGE_V1,			0,	1,						FALSE,	FALSE},
+	{NONCE_V1,					0,	1,						FALSE,	FALSE},
+	{VENDOR_ID_V1,				0,	MAX_VID_PAYLOADS,		FALSE,	FALSE},
+	{ID_V1,						0,	1,						TRUE,	FALSE},
+	{CERTIFICATE_V1,			0,	1,						TRUE,	FALSE},
+	{SIGNATURE_V1,				0,	1,						TRUE,	FALSE},
+	{HASH_V1,					0,	1,						TRUE,	FALSE},
+};
+
+/**
+ * payload order for ID_PROT from responder.
+ */
+static payload_order_t id_prot_r_order[] = {
+/*	payload type				notify type */
+	{SECURITY_ASSOCIATION_V1,	0},
+	{KEY_EXCHANGE_V1,			0},
+	{NONCE_V1,					0},
+	{ID_V1,						0},
+	{CERTIFICATE_V1,			0},
+	{SIGNATURE_V1,				0},
+	{HASH_V1,					0},
+	{NOTIFICATION_V1,			0},
+	{VENDOR_ID_V1,				0},
+};
+#endif /* USE_IKEV1 */
+
 /**
  * Message rules, defines allowed payloads.
  */
@@ -460,6 +526,17 @@ static message_rule_t message_rules[] = {
 		countof(me_connect_r_order), me_connect_r_order,
 	},
 #endif /* ME */
+#ifdef USE_IKEV1
+	{ID_PROT,			TRUE,	FALSE,
+		countof(id_prot_i_rules), id_prot_i_rules,
+		countof(id_prot_i_order), id_prot_i_order,
+	},
+	{ID_PROT,			FALSE,	FALSE,
+		countof(id_prot_r_rules), id_prot_r_rules,
+		countof(id_prot_r_order), id_prot_r_order,
+	},
+	/* TODO-IKEv1: define rules for other exchanges */
+#endif /* USE_IKEV1 */
 };