![[BACK]](/icons/cvsweb/back.gif){kind=icon}
Return to phase1.c CVS log ![[TXT]](/icons/cvsweb/text.gif){kind=icon}
![[DIR]](/icons/cvsweb/dir.gif){kind=icon}
Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / strongswan / src / libcharon / sa / ikev1|
Return to phase1.c CVS log | Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / strongswan / src / libcharon / sa / ikev1 |
1.1 misho 1: /*
2: * Copyright (C) 2012-2017 Tobias Brunner
3: * HSR Hochschule fuer Technik Rapperswil
4: *
5: * Copyright (C) 2012 Martin Willi
6: * Copyright (C) 2012 revosec AG
7: *
8: * This program is free software; you can redistribute it and/or modify it
9: * under the terms of the GNU General Public License as published by the
10: * Free Software Foundation; either version 2 of the License, or (at your
11: * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
12: *
13: * This program is distributed in the hope that it will be useful, but
14: * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
15: * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
16: * for more details.
17: */
18:
19: #include "phase1.h"
20:
21: #include <daemon.h>
22: #include <sa/ikev1/keymat_v1.h>
23: #include <encoding/payloads/ke_payload.h>
24: #include <encoding/payloads/nonce_payload.h>
25: #include <collections/linked_list.h>
26:
27: typedef struct private_phase1_t private_phase1_t;
28:
29: /**
30: * Private data of an phase1_t object.
31: */
32: struct private_phase1_t {
33:
34: /**
35: * Public phase1_t interface.
36: */
37: phase1_t public;
38:
39: /**
40: * IKE_SA we negotiate
41: */
42: ike_sa_t *ike_sa;
43:
44: /**
45: * Currently selected peer config
46: */
47: peer_cfg_t *peer_cfg;
48:
49: /**
50: * Other possible peer config candidates
51: */
52: linked_list_t *candidates;
53:
54: /**
55: * Acting as initiator
56: */
57: bool initiator;
58:
59: /**
60: * Extracted SA payload bytes
61: */
62: chunk_t sa_payload;
63:
64: /**
65: * DH exchange
66: */
67: diffie_hellman_t *dh;
68:
69: /**
70: * Keymat derivation (from SA)
71: */
72: keymat_v1_t *keymat;
73:
74: /**
75: * Received public DH value from peer
76: */
77: chunk_t dh_value;
78:
79: /**
80: * Initiators nonce
81: */
82: chunk_t nonce_i;
83:
84: /**
85: * Responder nonce
86: */
87: chunk_t nonce_r;
88: };
89:
90: /**
91: * Get the first authentication config from peer config
92: */
93: static auth_cfg_t *get_auth_cfg(peer_cfg_t *peer_cfg, bool local)
94: {
95: enumerator_t *enumerator;
96: auth_cfg_t *cfg = NULL;
97:
98: enumerator = peer_cfg->create_auth_cfg_enumerator(peer_cfg, local);
99: enumerator->enumerate(enumerator, &cfg);
100: enumerator->destroy(enumerator);
101: return cfg;
102: }
103:
104: /**
105: * Find a shared key for the given identities
106: */
107: static shared_key_t *find_shared_key(identification_t *my_id, host_t *me,
108: identification_t *other_id, host_t *other)
109: {
110: identification_t *any_id = NULL;
111: shared_key_t *shared_key;
112:
113: if (!other_id)
114: {
115: any_id = identification_create_from_encoding(ID_ANY, chunk_empty);
116: other_id = any_id;
117: }
118: shared_key = lib->credmgr->get_shared(lib->credmgr, SHARED_IKE,
119: my_id, other_id);
120: if (!shared_key)
121: {
122: DBG1(DBG_IKE, "no shared key found for '%Y'[%H] - '%Y'[%H]",
123: my_id, me, other_id, other);
124: }
125: DESTROY_IF(any_id);
126: return shared_key;
127: }
128:
129: /**
130: * Lookup a shared secret for this IKE_SA
131: */
132: static shared_key_t *lookup_shared_key(private_phase1_t *this,
133: peer_cfg_t *peer_cfg)
134: {
135: host_t *me, *other;
136: identification_t *my_id, *other_id;
137: shared_key_t *shared_key = NULL;
138: auth_cfg_t *my_auth, *other_auth;
139: enumerator_t *enumerator;
140:
141: me = this->ike_sa->get_my_host(this->ike_sa);
142: other = this->ike_sa->get_other_host(this->ike_sa);
143:
144: if (peer_cfg)
145: { /* as initiator or aggressive responder, use identities */
146: my_auth = get_auth_cfg(peer_cfg, TRUE);
147: other_auth = get_auth_cfg(peer_cfg, FALSE);
148: if (my_auth && other_auth)
149: {
150: my_id = my_auth->get(my_auth, AUTH_RULE_IDENTITY);
151: if (peer_cfg->use_aggressive(peer_cfg))
152: {
153: other_id = this->ike_sa->get_other_id(this->ike_sa);
154: }
155: else
156: {
157: other_id = other_auth->get(other_auth, AUTH_RULE_IDENTITY);
158: }
159: if (my_id)
160: {
161: shared_key = find_shared_key(my_id, me, other_id, other);
162: }
163: }
164: }
165: else
166: { /* as responder, we try to find a config by IP addresses and use the
167: * configured identities to find the PSK */
168: enumerator = charon->backends->create_peer_cfg_enumerator(
169: charon->backends, me, other, NULL, NULL, IKEV1);
170: while (enumerator->enumerate(enumerator, &peer_cfg))
171: {
172: my_auth = get_auth_cfg(peer_cfg, TRUE);
173: other_auth = get_auth_cfg(peer_cfg, FALSE);
174: if (my_auth && other_auth)
175: {
176: my_id = my_auth->get(my_auth, AUTH_RULE_IDENTITY);
177: other_id = other_auth->get(other_auth, AUTH_RULE_IDENTITY);
178: if (my_id)
179: {
180: shared_key = find_shared_key(my_id, me, other_id, other);
181: if (shared_key)
182: {
183: break;
184: }
185: }
186: }
187: }
188: enumerator->destroy(enumerator);
189: }
190: if (!shared_key)
191: { /* try to get a PSK for IP addresses */
192: my_id = identification_create_from_sockaddr(me->get_sockaddr(me));
193: other_id = identification_create_from_sockaddr(
194: other->get_sockaddr(other));
195: if (my_id && other_id)
196: {
197: shared_key = lib->credmgr->get_shared(lib->credmgr, SHARED_IKE,
198: my_id, other_id);
199: }
200: DESTROY_IF(my_id);
201: DESTROY_IF(other_id);
202: if (!shared_key)
203: {
204: DBG1(DBG_IKE, "no shared key found for %H - %H", me, other);
205: }
206: }
207: return shared_key;
208: }
209:
210: METHOD(phase1_t, create_hasher, bool,
211: private_phase1_t *this)
212: {
213: return this->keymat->create_hasher(this->keymat,
214: this->ike_sa->get_proposal(this->ike_sa));
215: }
216:
217: METHOD(phase1_t, create_dh, bool,
218: private_phase1_t *this, diffie_hellman_group_t group)
219: {
220: this->dh = this->keymat->keymat.create_dh(&this->keymat->keymat, group);
221: return this->dh != NULL;
222: }
223:
224: METHOD(phase1_t, derive_keys, bool,
225: private_phase1_t *this, peer_cfg_t *peer_cfg, auth_method_t method)
226: {
227: shared_key_t *shared_key = NULL;
228:
229: switch (method)
230: {
231: case AUTH_PSK:
232: case AUTH_XAUTH_INIT_PSK:
233: case AUTH_XAUTH_RESP_PSK:
234: shared_key = lookup_shared_key(this, peer_cfg);
235: if (!shared_key)
236: {
237: return FALSE;
238: }
239: break;
240: default:
241: break;
242: }
243:
244: if (!this->keymat->derive_ike_keys(this->keymat,
245: this->ike_sa->get_proposal(this->ike_sa),
246: this->dh, this->dh_value, this->nonce_i, this->nonce_r,
247: this->ike_sa->get_id(this->ike_sa), method, shared_key))
248: {
249: DESTROY_IF(shared_key);
250: DBG1(DBG_IKE, "key derivation for %N failed", auth_method_names, method);
251: return FALSE;
252: }
253: charon->bus->ike_keys(charon->bus, this->ike_sa, this->dh, this->dh_value,
254: this->nonce_i, this->nonce_r, NULL, shared_key,
255: method);
256: DESTROY_IF(shared_key);
257: return TRUE;
258: }
259:
260: /**
261: * Check if a peer skipped authentication by using Hybrid authentication
262: */
263: static bool skipped_auth(private_phase1_t *this,
264: auth_method_t method, bool local)
265: {
266: bool initiator;
267:
268: initiator = local == this->initiator;
269: if (initiator && method == AUTH_HYBRID_INIT_RSA)
270: {
271: return TRUE;
272: }
273: if (!initiator && method == AUTH_HYBRID_RESP_RSA)
274: {
275: return TRUE;
276: }
277: return FALSE;
278: }
279:
280: /**
281: * Check if remote authentication constraints fulfilled
282: */
283: static bool check_constraints(private_phase1_t *this, auth_method_t method)
284: {
285: identification_t *id;
286: auth_cfg_t *auth, *cfg;
287: peer_cfg_t *peer_cfg;
288:
289: auth = this->ike_sa->get_auth_cfg(this->ike_sa, FALSE);
290: /* auth identity to comply */
291: id = this->ike_sa->get_other_id(this->ike_sa);
292: auth->add(auth, AUTH_RULE_IDENTITY, id->clone(id));
293: if (skipped_auth(this, method, FALSE))
294: {
295: return TRUE;
296: }
297: peer_cfg = this->ike_sa->get_peer_cfg(this->ike_sa);
298: cfg = get_auth_cfg(peer_cfg, FALSE);
299: return cfg && auth->complies(auth, cfg, TRUE);
300: }
301:
302: /**
303: * Save authentication information after authentication succeeded
304: */
305: static void save_auth_cfg(private_phase1_t *this,
306: auth_method_t method, bool local)
307: {
308: auth_cfg_t *auth;
309:
310: if (skipped_auth(this, method, local))
311: {
312: return;
313: }
314: auth = auth_cfg_create();
315: /* for local config, we _copy_ entries from the config, as it contains
316: * certificates we must send later. */
317: auth->merge(auth, this->ike_sa->get_auth_cfg(this->ike_sa, local), local);
318: this->ike_sa->add_auth_cfg(this->ike_sa, local, auth);
319: }
320:
321: /**
322: * Create an authenticator instance
323: */
324: static authenticator_t* create_authenticator(private_phase1_t *this,
325: auth_method_t method, chunk_t id)
326: {
327: authenticator_t *authenticator;
328:
329: authenticator = authenticator_create_v1(this->ike_sa, this->initiator,
330: method, this->dh, this->dh_value, this->sa_payload, id);
331: if (!authenticator)
332: {
333: DBG1(DBG_IKE, "negotiated authentication method %N not supported",
334: auth_method_names, method);
335: }
336: return authenticator;
337: }
338:
339: METHOD(phase1_t, verify_auth, bool,
340: private_phase1_t *this, auth_method_t method, message_t *message,
341: chunk_t id_data)
342: {
343: authenticator_t *authenticator;
344: status_t status;
345:
346: authenticator = create_authenticator(this, method, id_data);
347: if (authenticator)
348: {
349: status = authenticator->process(authenticator, message);
350: authenticator->destroy(authenticator);
351: if (status == SUCCESS && check_constraints(this, method))
352: {
353: save_auth_cfg(this, method, FALSE);
354: return TRUE;
355: }
356: }
357: return FALSE;
358: }
359:
360: METHOD(phase1_t, build_auth, bool,
361: private_phase1_t *this, auth_method_t method, message_t *message,
362: chunk_t id_data)
363: {
364: authenticator_t *authenticator;
365: status_t status;
366:
367: authenticator = create_authenticator(this, method, id_data);
368: if (authenticator)
369: {
370: status = authenticator->build(authenticator, message);
371: authenticator->destroy(authenticator);
372: if (status == SUCCESS)
373: {
374: save_auth_cfg(this, method, TRUE);
375: return TRUE;
376: }
377: }
378: return FALSE;
379: }
380:
381: /**
382: * Get the two auth classes from local or remote config
383: */
384: static void get_auth_class(peer_cfg_t *peer_cfg, bool local,
385: auth_class_t *c1, auth_class_t *c2)
386: {
387: enumerator_t *enumerator;
388: auth_cfg_t *auth;
389:
390: *c1 = *c2 = AUTH_CLASS_ANY;
391:
392: enumerator = peer_cfg->create_auth_cfg_enumerator(peer_cfg, local);
393: while (enumerator->enumerate(enumerator, &auth))
394: {
395: if (*c1 == AUTH_CLASS_ANY)
396: {
397: *c1 = (uintptr_t)auth->get(auth, AUTH_RULE_AUTH_CLASS);
398: }
399: else
400: {
401: *c2 = (uintptr_t)auth->get(auth, AUTH_RULE_AUTH_CLASS);
402: break;
403: }
404: }
405: enumerator->destroy(enumerator);
406: }
407:
408: /**
409: * Select an auth method to use by checking what key we have
410: */
411: static auth_method_t get_pubkey_method(private_phase1_t *this, auth_cfg_t *auth)
412: {
413: auth_method_t method = AUTH_NONE;
414: identification_t *id;
415: private_key_t *private;
416:
417: if (auth)
418: {
419: id = (identification_t*)auth->get(auth, AUTH_RULE_IDENTITY);
420: if (id)
421: {
422: private = lib->credmgr->get_private(lib->credmgr, KEY_ANY, id, NULL);
423: if (private)
424: {
425: switch (private->get_type(private))
426: {
427: case KEY_RSA:
428: method = AUTH_RSA;
429: break;
430: case KEY_ECDSA:
431: switch (private->get_keysize(private))
432: {
433: case 256:
434: method = AUTH_ECDSA_256;
435: break;
436: case 384:
437: method = AUTH_ECDSA_384;
438: break;
439: case 521:
440: method = AUTH_ECDSA_521;
441: break;
442: default:
443: DBG1(DBG_IKE, "%d bit ECDSA private key size not "
444: "supported", private->get_keysize(private));
445: break;
446: }
447: break;
448: default:
449: DBG1(DBG_IKE, "private key of type %N not supported",
450: key_type_names, private->get_type(private));
451: break;
452: }
453: private->destroy(private);
454: }
455: else
456: {
457: DBG1(DBG_IKE, "no private key found for '%Y'", id);
458: }
459: }
460: }
461: return method;
462: }
463:
464: /**
465: * Calculate authentication method from a peer config
466: */
467: static auth_method_t calc_auth_method(private_phase1_t *this,
468: peer_cfg_t *peer_cfg)
469: {
470: auth_class_t i1, i2, r1, r2;
471:
472: get_auth_class(peer_cfg, this->initiator, &i1, &i2);
473: get_auth_class(peer_cfg, !this->initiator, &r1, &r2);
474:
475: if (i1 == AUTH_CLASS_PUBKEY && r1 == AUTH_CLASS_PUBKEY)
476: {
477: if (i2 == AUTH_CLASS_ANY && r2 == AUTH_CLASS_ANY)
478: {
479: /* for any pubkey method, return RSA */
480: return AUTH_RSA;
481: }
482: if (i2 == AUTH_CLASS_XAUTH)
483: {
484: return AUTH_XAUTH_INIT_RSA;
485: }
486: if (r2 == AUTH_CLASS_XAUTH)
487: {
488: return AUTH_XAUTH_RESP_RSA;
489: }
490: }
491: if (i1 == AUTH_CLASS_PSK && r1 == AUTH_CLASS_PSK)
492: {
493: if (i2 == AUTH_CLASS_ANY && r2 == AUTH_CLASS_ANY)
494: {
495: return AUTH_PSK;
496: }
497: if (i2 == AUTH_CLASS_XAUTH)
498: {
499: return AUTH_XAUTH_INIT_PSK;
500: }
501: if (r2 == AUTH_CLASS_XAUTH)
502: {
503: return AUTH_XAUTH_RESP_PSK;
504: }
505: }
506: if (i1 == AUTH_CLASS_XAUTH && r1 == AUTH_CLASS_PUBKEY &&
507: i2 == AUTH_CLASS_ANY && r2 == AUTH_CLASS_ANY)
508: {
509: return AUTH_HYBRID_INIT_RSA;
510: }
511: return AUTH_NONE;
512: }
513:
514: METHOD(phase1_t, get_auth_method, auth_method_t,
515: private_phase1_t *this, peer_cfg_t *peer_cfg)
516: {
517: auth_method_t method;
518:
519: method = calc_auth_method(this, peer_cfg);
520: if (method == AUTH_RSA)
521: {
522: return get_pubkey_method(this, get_auth_cfg(peer_cfg, TRUE));
523: }
524: return method;
525: }
526:
527: /**
528: * Check if a peer config can be used with a given auth method
529: */
530: static bool check_auth_method(private_phase1_t *this, peer_cfg_t *peer_cfg,
531: auth_method_t given)
532: {
533: auth_method_t method;
534:
535: method = calc_auth_method(this, peer_cfg);
536: switch (given)
537: {
538: case AUTH_ECDSA_256:
539: case AUTH_ECDSA_384:
540: case AUTH_ECDSA_521:
541: return method == AUTH_RSA;
542: default:
543: return method == given;
544: }
545: }
546:
547: METHOD(phase1_t, select_config, peer_cfg_t*,
548: private_phase1_t *this, auth_method_t method, bool aggressive,
549: identification_t *id)
550: {
551: enumerator_t *enumerator;
552: peer_cfg_t *current;
553: host_t *me, *other;
554: int unusable = 0;
555:
556: if (this->peer_cfg)
557: { /* try to find an alternative config */
558: if (this->candidates->remove_first(this->candidates,
559: (void**)¤t) != SUCCESS)
560: {
561: DBG1(DBG_CFG, "no alternative config found");
562: return NULL;
563: }
564: DBG1(DBG_CFG, "switching to peer config '%s'",
565: current->get_name(current));
566: return current;
567: }
568:
569: me = this->ike_sa->get_my_host(this->ike_sa);
570: other = this->ike_sa->get_other_host(this->ike_sa);
571: DBG1(DBG_CFG, "looking for %N peer configs matching %H...%H[%Y]",
572: auth_method_names, method, me, other, id);
573: enumerator = charon->backends->create_peer_cfg_enumerator(charon->backends,
574: me, other, NULL, id, IKEV1);
575: while (enumerator->enumerate(enumerator, ¤t))
576: {
577: if (check_auth_method(this, current, method) &&
578: current->use_aggressive(current) == aggressive)
579: {
580: current->get_ref(current);
581: if (!this->peer_cfg)
582: {
583: this->peer_cfg = current;
584: }
585: else
586: {
587: this->candidates->insert_last(this->candidates, current);
588: }
589: }
590: else
591: {
592: unusable++;
593: }
594: }
595: enumerator->destroy(enumerator);
596:
597: if (this->peer_cfg)
598: {
599: DBG1(DBG_CFG, "selected peer config \"%s\"",
600: this->peer_cfg->get_name(this->peer_cfg));
601: return this->peer_cfg->get_ref(this->peer_cfg);
602: }
603: if (unusable)
604: {
605: DBG1(DBG_IKE, "found %d matching config%s, but none allows %N "
606: "authentication using %s Mode", unusable, unusable > 1 ? "s" : "",
607: auth_method_names, method, aggressive ? "Aggressive" : "Main");
608: return NULL;
609: }
610: DBG1(DBG_IKE, "no peer config found");
611: return NULL;
612: }
613:
614: METHOD(phase1_t, get_id, identification_t*,
615: private_phase1_t *this, peer_cfg_t *peer_cfg, bool local)
616: {
617: identification_t *id = NULL;
618: auth_cfg_t *auth;
619:
620: auth = get_auth_cfg(peer_cfg, local);
621: if (auth)
622: {
623: id = auth->get(auth, AUTH_RULE_IDENTITY);
624: if (local && (!id || id->get_type(id) == ID_ANY))
625: { /* no ID configured, use local IP address */
626: host_t *me;
627:
628: me = this->ike_sa->get_my_host(this->ike_sa);
629: if (!me->is_anyaddr(me))
630: {
631: id = identification_create_from_sockaddr(me->get_sockaddr(me));
632: auth->add(auth, AUTH_RULE_IDENTITY, id);
633: }
634: }
635: }
636: return id;
637: }
638:
639: METHOD(phase1_t, has_virtual_ip, bool,
640: private_phase1_t *this, peer_cfg_t *peer_cfg)
641: {
642: enumerator_t *enumerator;
643: bool found = FALSE;
644: host_t *host;
645:
646: enumerator = peer_cfg->create_virtual_ip_enumerator(peer_cfg);
647: found = enumerator->enumerate(enumerator, &host);
648: enumerator->destroy(enumerator);
649:
650: return found;
651: }
652:
653: METHOD(phase1_t, has_pool, bool,
654: private_phase1_t *this, peer_cfg_t *peer_cfg)
655: {
656: enumerator_t *enumerator;
657: bool found = FALSE;
658: char *pool;
659:
660: enumerator = peer_cfg->create_pool_enumerator(peer_cfg);
661: found = enumerator->enumerate(enumerator, &pool);
662: enumerator->destroy(enumerator);
663:
664: return found;
665: }
666:
667: METHOD(phase1_t, save_sa_payload, bool,
668: private_phase1_t *this, message_t *message)
669: {
670: enumerator_t *enumerator;
671: payload_t *payload, *sa = NULL;
672: chunk_t data;
673: size_t offset = IKE_HEADER_LENGTH;
674:
675: enumerator = message->create_payload_enumerator(message);
676: while (enumerator->enumerate(enumerator, &payload))
677: {
678: if (payload->get_type(payload) == PLV1_SECURITY_ASSOCIATION)
679: {
680: sa = payload;
681: break;
682: }
683: else
684: {
685: offset += payload->get_length(payload);
686: }
687: }
688: enumerator->destroy(enumerator);
689:
690: data = message->get_packet_data(message);
691: if (sa && data.len >= offset + sa->get_length(sa))
692: {
693: /* Get SA payload without 4 byte fixed header */
694: data = chunk_skip(data, offset);
695: data.len = sa->get_length(sa);
696: data = chunk_skip(data, 4);
697: this->sa_payload = chunk_clone(data);
698: return TRUE;
699: }
700: DBG1(DBG_IKE, "unable to extract SA payload encoding");
701: return FALSE;
702: }
703:
704: METHOD(phase1_t, add_nonce_ke, bool,
705: private_phase1_t *this, message_t *message)
706: {
707: nonce_payload_t *nonce_payload;
708: ke_payload_t *ke_payload;
709: nonce_gen_t *nonceg;
710: chunk_t nonce;
711:
712: ke_payload = ke_payload_create_from_diffie_hellman(PLV1_KEY_EXCHANGE,
713: this->dh);
714: if (!ke_payload)
715: {
716: DBG1(DBG_IKE, "creating KE payload failed");
717: return FALSE;
718: }
719: message->add_payload(message, &ke_payload->payload_interface);
720:
721: nonceg = this->keymat->keymat.create_nonce_gen(&this->keymat->keymat);
722: if (!nonceg)
723: {
724: DBG1(DBG_IKE, "no nonce generator found to create nonce");
725: return FALSE;
726: }
727: if (!nonceg->allocate_nonce(nonceg, NONCE_SIZE, &nonce))
728: {
729: DBG1(DBG_IKE, "nonce allocation failed");
730: nonceg->destroy(nonceg);
731: return FALSE;
732: }
733: nonceg->destroy(nonceg);
734:
735: nonce_payload = nonce_payload_create(PLV1_NONCE);
736: nonce_payload->set_nonce(nonce_payload, nonce);
737: message->add_payload(message, &nonce_payload->payload_interface);
738:
739: if (this->initiator)
740: {
741: this->nonce_i = nonce;
742: }
743: else
744: {
745: this->nonce_r = nonce;
746: }
747: return TRUE;
748: }
749:
750: METHOD(phase1_t, get_nonce_ke, bool,
751: private_phase1_t *this, message_t *message)
752: {
753: nonce_payload_t *nonce_payload;
754: ke_payload_t *ke_payload;
755:
756: ke_payload = (ke_payload_t*)message->get_payload(message, PLV1_KEY_EXCHANGE);
757: if (!ke_payload)
758: {
759: DBG1(DBG_IKE, "KE payload missing in message");
760: return FALSE;
761: }
762: this->dh_value = chunk_clone(ke_payload->get_key_exchange_data(ke_payload));
763: if (!this->dh->set_other_public_value(this->dh, this->dh_value))
764: {
765: DBG1(DBG_IKE, "unable to apply received KE value");
766: return FALSE;
767: }
768:
769: nonce_payload = (nonce_payload_t*)message->get_payload(message, PLV1_NONCE);
770: if (!nonce_payload)
771: {
772: DBG1(DBG_IKE, "NONCE payload missing in message");
773: return FALSE;
774: }
775:
776: if (this->initiator)
777: {
778: this->nonce_r = nonce_payload->get_nonce(nonce_payload);
779: }
780: else
781: {
782: this->nonce_i = nonce_payload->get_nonce(nonce_payload);
783: }
784: return TRUE;
785: }
786:
787: METHOD(phase1_t, destroy, void,
788: private_phase1_t *this)
789: {
790: DESTROY_IF(this->peer_cfg);
791: this->candidates->destroy_offset(this->candidates,
792: offsetof(peer_cfg_t, destroy));
793: chunk_free(&this->sa_payload);
794: DESTROY_IF(this->dh);
795: free(this->dh_value.ptr);
796: free(this->nonce_i.ptr);
797: free(this->nonce_r.ptr);
798: free(this);
799: }
800:
801: /**
802: * See header
803: */
804: phase1_t *phase1_create(ike_sa_t *ike_sa, bool initiator)
805: {
806: private_phase1_t *this;
807:
808: INIT(this,
809: .public = {
810: .create_hasher = _create_hasher,
811: .create_dh = _create_dh,
812: .derive_keys = _derive_keys,
813: .get_auth_method = _get_auth_method,
814: .get_id = _get_id,
815: .select_config = _select_config,
816: .has_virtual_ip = _has_virtual_ip,
817: .has_pool = _has_pool,
818: .verify_auth = _verify_auth,
819: .build_auth = _build_auth,
820: .save_sa_payload = _save_sa_payload,
821: .add_nonce_ke = _add_nonce_ke,
822: .get_nonce_ke = _get_nonce_ke,
823: .destroy = _destroy,
824: },
825: .candidates = linked_list_create(),
826: .ike_sa = ike_sa,
827: .initiator = initiator,
828: .keymat = (keymat_v1_t*)ike_sa->get_keymat(ike_sa),
829: );
830:
831: return &this->public;
832: }