Return to phase1.c CVS log | Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / strongswan / src / libcharon / sa / ikev1 |
1.1 misho 1: /* 2: * Copyright (C) 2012-2017 Tobias Brunner 3: * HSR Hochschule fuer Technik Rapperswil 4: * 5: * Copyright (C) 2012 Martin Willi 6: * Copyright (C) 2012 revosec AG 7: * 8: * This program is free software; you can redistribute it and/or modify it 9: * under the terms of the GNU General Public License as published by the 10: * Free Software Foundation; either version 2 of the License, or (at your 11: * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. 12: * 13: * This program is distributed in the hope that it will be useful, but 14: * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY 15: * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License 16: * for more details. 17: */ 18: 19: #include "phase1.h" 20: 21: #include <daemon.h> 22: #include <sa/ikev1/keymat_v1.h> 23: #include <encoding/payloads/ke_payload.h> 24: #include <encoding/payloads/nonce_payload.h> 25: #include <collections/linked_list.h> 26: 27: typedef struct private_phase1_t private_phase1_t; 28: 29: /** 30: * Private data of an phase1_t object. 31: */ 32: struct private_phase1_t { 33: 34: /** 35: * Public phase1_t interface. 36: */ 37: phase1_t public; 38: 39: /** 40: * IKE_SA we negotiate 41: */ 42: ike_sa_t *ike_sa; 43: 44: /** 45: * Currently selected peer config 46: */ 47: peer_cfg_t *peer_cfg; 48: 49: /** 50: * Other possible peer config candidates 51: */ 52: linked_list_t *candidates; 53: 54: /** 55: * Acting as initiator 56: */ 57: bool initiator; 58: 59: /** 60: * Extracted SA payload bytes 61: */ 62: chunk_t sa_payload; 63: 64: /** 65: * DH exchange 66: */ 67: diffie_hellman_t *dh; 68: 69: /** 70: * Keymat derivation (from SA) 71: */ 72: keymat_v1_t *keymat; 73: 74: /** 75: * Received public DH value from peer 76: */ 77: chunk_t dh_value; 78: 79: /** 80: * Initiators nonce 81: */ 82: chunk_t nonce_i; 83: 84: /** 85: * Responder nonce 86: */ 87: chunk_t nonce_r; 88: }; 89: 90: /** 91: * Get the first authentication config from peer config 92: */ 93: static auth_cfg_t *get_auth_cfg(peer_cfg_t *peer_cfg, bool local) 94: { 95: enumerator_t *enumerator; 96: auth_cfg_t *cfg = NULL; 97: 98: enumerator = peer_cfg->create_auth_cfg_enumerator(peer_cfg, local); 99: enumerator->enumerate(enumerator, &cfg); 100: enumerator->destroy(enumerator); 101: return cfg; 102: } 103: 104: /** 105: * Find a shared key for the given identities 106: */ 107: static shared_key_t *find_shared_key(identification_t *my_id, host_t *me, 108: identification_t *other_id, host_t *other) 109: { 110: identification_t *any_id = NULL; 111: shared_key_t *shared_key; 112: 113: if (!other_id) 114: { 115: any_id = identification_create_from_encoding(ID_ANY, chunk_empty); 116: other_id = any_id; 117: } 118: shared_key = lib->credmgr->get_shared(lib->credmgr, SHARED_IKE, 119: my_id, other_id); 120: if (!shared_key) 121: { 122: DBG1(DBG_IKE, "no shared key found for '%Y'[%H] - '%Y'[%H]", 123: my_id, me, other_id, other); 124: } 125: DESTROY_IF(any_id); 126: return shared_key; 127: } 128: 129: /** 130: * Lookup a shared secret for this IKE_SA 131: */ 132: static shared_key_t *lookup_shared_key(private_phase1_t *this, 133: peer_cfg_t *peer_cfg) 134: { 135: host_t *me, *other; 136: identification_t *my_id, *other_id; 137: shared_key_t *shared_key = NULL; 138: auth_cfg_t *my_auth, *other_auth; 139: enumerator_t *enumerator; 140: 141: me = this->ike_sa->get_my_host(this->ike_sa); 142: other = this->ike_sa->get_other_host(this->ike_sa); 143: 144: if (peer_cfg) 145: { /* as initiator or aggressive responder, use identities */ 146: other_auth = get_auth_cfg(peer_cfg, FALSE); 1.1.1.2 ! misho 147: if (other_auth) 1.1 misho 148: { 1.1.1.2 ! misho 149: my_id = this->ike_sa->get_my_id(this->ike_sa); 1.1 misho 150: if (peer_cfg->use_aggressive(peer_cfg)) 151: { 152: other_id = this->ike_sa->get_other_id(this->ike_sa); 153: } 154: else 155: { 156: other_id = other_auth->get(other_auth, AUTH_RULE_IDENTITY); 157: } 1.1.1.2 ! misho 158: shared_key = find_shared_key(my_id, me, other_id, other); 1.1 misho 159: } 160: } 161: else 162: { /* as responder, we try to find a config by IP addresses and use the 163: * configured identities to find the PSK */ 164: enumerator = charon->backends->create_peer_cfg_enumerator( 165: charon->backends, me, other, NULL, NULL, IKEV1); 166: while (enumerator->enumerate(enumerator, &peer_cfg)) 167: { 168: my_auth = get_auth_cfg(peer_cfg, TRUE); 169: other_auth = get_auth_cfg(peer_cfg, FALSE); 170: if (my_auth && other_auth) 171: { 172: my_id = my_auth->get(my_auth, AUTH_RULE_IDENTITY); 173: other_id = other_auth->get(other_auth, AUTH_RULE_IDENTITY); 174: if (my_id) 175: { 176: shared_key = find_shared_key(my_id, me, other_id, other); 177: if (shared_key) 178: { 179: break; 180: } 181: } 182: } 183: } 184: enumerator->destroy(enumerator); 185: } 186: if (!shared_key) 187: { /* try to get a PSK for IP addresses */ 188: my_id = identification_create_from_sockaddr(me->get_sockaddr(me)); 189: other_id = identification_create_from_sockaddr( 190: other->get_sockaddr(other)); 191: if (my_id && other_id) 192: { 193: shared_key = lib->credmgr->get_shared(lib->credmgr, SHARED_IKE, 194: my_id, other_id); 195: } 196: DESTROY_IF(my_id); 197: DESTROY_IF(other_id); 198: if (!shared_key) 199: { 200: DBG1(DBG_IKE, "no shared key found for %H - %H", me, other); 201: } 202: } 203: return shared_key; 204: } 205: 206: METHOD(phase1_t, create_hasher, bool, 207: private_phase1_t *this) 208: { 209: return this->keymat->create_hasher(this->keymat, 210: this->ike_sa->get_proposal(this->ike_sa)); 211: } 212: 213: METHOD(phase1_t, create_dh, bool, 214: private_phase1_t *this, diffie_hellman_group_t group) 215: { 216: this->dh = this->keymat->keymat.create_dh(&this->keymat->keymat, group); 217: return this->dh != NULL; 218: } 219: 220: METHOD(phase1_t, derive_keys, bool, 221: private_phase1_t *this, peer_cfg_t *peer_cfg, auth_method_t method) 222: { 223: shared_key_t *shared_key = NULL; 224: 225: switch (method) 226: { 227: case AUTH_PSK: 228: case AUTH_XAUTH_INIT_PSK: 229: case AUTH_XAUTH_RESP_PSK: 230: shared_key = lookup_shared_key(this, peer_cfg); 231: if (!shared_key) 232: { 233: return FALSE; 234: } 235: break; 236: default: 237: break; 238: } 239: 240: if (!this->keymat->derive_ike_keys(this->keymat, 241: this->ike_sa->get_proposal(this->ike_sa), 242: this->dh, this->dh_value, this->nonce_i, this->nonce_r, 243: this->ike_sa->get_id(this->ike_sa), method, shared_key)) 244: { 245: DESTROY_IF(shared_key); 246: DBG1(DBG_IKE, "key derivation for %N failed", auth_method_names, method); 247: return FALSE; 248: } 249: charon->bus->ike_keys(charon->bus, this->ike_sa, this->dh, this->dh_value, 250: this->nonce_i, this->nonce_r, NULL, shared_key, 251: method); 252: DESTROY_IF(shared_key); 253: return TRUE; 254: } 255: 256: /** 257: * Check if a peer skipped authentication by using Hybrid authentication 258: */ 259: static bool skipped_auth(private_phase1_t *this, 260: auth_method_t method, bool local) 261: { 262: bool initiator; 263: 264: initiator = local == this->initiator; 265: if (initiator && method == AUTH_HYBRID_INIT_RSA) 266: { 267: return TRUE; 268: } 269: if (!initiator && method == AUTH_HYBRID_RESP_RSA) 270: { 271: return TRUE; 272: } 273: return FALSE; 274: } 275: 276: /** 277: * Check if remote authentication constraints fulfilled 278: */ 279: static bool check_constraints(private_phase1_t *this, auth_method_t method) 280: { 281: identification_t *id; 282: auth_cfg_t *auth, *cfg; 283: peer_cfg_t *peer_cfg; 284: 285: auth = this->ike_sa->get_auth_cfg(this->ike_sa, FALSE); 286: /* auth identity to comply */ 287: id = this->ike_sa->get_other_id(this->ike_sa); 288: auth->add(auth, AUTH_RULE_IDENTITY, id->clone(id)); 289: if (skipped_auth(this, method, FALSE)) 290: { 291: return TRUE; 292: } 293: peer_cfg = this->ike_sa->get_peer_cfg(this->ike_sa); 294: cfg = get_auth_cfg(peer_cfg, FALSE); 295: return cfg && auth->complies(auth, cfg, TRUE); 296: } 297: 298: /** 299: * Save authentication information after authentication succeeded 300: */ 301: static void save_auth_cfg(private_phase1_t *this, 302: auth_method_t method, bool local) 303: { 304: auth_cfg_t *auth; 305: 306: if (skipped_auth(this, method, local)) 307: { 308: return; 309: } 310: auth = auth_cfg_create(); 311: /* for local config, we _copy_ entries from the config, as it contains 312: * certificates we must send later. */ 313: auth->merge(auth, this->ike_sa->get_auth_cfg(this->ike_sa, local), local); 314: this->ike_sa->add_auth_cfg(this->ike_sa, local, auth); 315: } 316: 317: /** 318: * Create an authenticator instance 319: */ 320: static authenticator_t* create_authenticator(private_phase1_t *this, 321: auth_method_t method, chunk_t id) 322: { 323: authenticator_t *authenticator; 324: 325: authenticator = authenticator_create_v1(this->ike_sa, this->initiator, 326: method, this->dh, this->dh_value, this->sa_payload, id); 327: if (!authenticator) 328: { 329: DBG1(DBG_IKE, "negotiated authentication method %N not supported", 330: auth_method_names, method); 331: } 332: return authenticator; 333: } 334: 335: METHOD(phase1_t, verify_auth, bool, 336: private_phase1_t *this, auth_method_t method, message_t *message, 337: chunk_t id_data) 338: { 339: authenticator_t *authenticator; 340: status_t status; 341: 342: authenticator = create_authenticator(this, method, id_data); 343: if (authenticator) 344: { 345: status = authenticator->process(authenticator, message); 346: authenticator->destroy(authenticator); 347: if (status == SUCCESS && check_constraints(this, method)) 348: { 349: save_auth_cfg(this, method, FALSE); 350: return TRUE; 351: } 352: } 353: return FALSE; 354: } 355: 356: METHOD(phase1_t, build_auth, bool, 357: private_phase1_t *this, auth_method_t method, message_t *message, 358: chunk_t id_data) 359: { 360: authenticator_t *authenticator; 361: status_t status; 362: 363: authenticator = create_authenticator(this, method, id_data); 364: if (authenticator) 365: { 366: status = authenticator->build(authenticator, message); 367: authenticator->destroy(authenticator); 368: if (status == SUCCESS) 369: { 370: save_auth_cfg(this, method, TRUE); 371: return TRUE; 372: } 373: } 374: return FALSE; 375: } 376: 377: /** 378: * Get the two auth classes from local or remote config 379: */ 380: static void get_auth_class(peer_cfg_t *peer_cfg, bool local, 381: auth_class_t *c1, auth_class_t *c2) 382: { 383: enumerator_t *enumerator; 384: auth_cfg_t *auth; 385: 386: *c1 = *c2 = AUTH_CLASS_ANY; 387: 388: enumerator = peer_cfg->create_auth_cfg_enumerator(peer_cfg, local); 389: while (enumerator->enumerate(enumerator, &auth)) 390: { 391: if (*c1 == AUTH_CLASS_ANY) 392: { 393: *c1 = (uintptr_t)auth->get(auth, AUTH_RULE_AUTH_CLASS); 394: } 395: else 396: { 397: *c2 = (uintptr_t)auth->get(auth, AUTH_RULE_AUTH_CLASS); 398: break; 399: } 400: } 401: enumerator->destroy(enumerator); 402: } 403: 404: /** 405: * Select an auth method to use by checking what key we have 406: */ 407: static auth_method_t get_pubkey_method(private_phase1_t *this, auth_cfg_t *auth) 408: { 409: auth_method_t method = AUTH_NONE; 410: identification_t *id; 411: private_key_t *private; 412: 413: if (auth) 414: { 415: id = (identification_t*)auth->get(auth, AUTH_RULE_IDENTITY); 416: if (id) 417: { 418: private = lib->credmgr->get_private(lib->credmgr, KEY_ANY, id, NULL); 419: if (private) 420: { 421: switch (private->get_type(private)) 422: { 423: case KEY_RSA: 424: method = AUTH_RSA; 425: break; 426: case KEY_ECDSA: 427: switch (private->get_keysize(private)) 428: { 429: case 256: 430: method = AUTH_ECDSA_256; 431: break; 432: case 384: 433: method = AUTH_ECDSA_384; 434: break; 435: case 521: 436: method = AUTH_ECDSA_521; 437: break; 438: default: 439: DBG1(DBG_IKE, "%d bit ECDSA private key size not " 440: "supported", private->get_keysize(private)); 441: break; 442: } 443: break; 444: default: 445: DBG1(DBG_IKE, "private key of type %N not supported", 446: key_type_names, private->get_type(private)); 447: break; 448: } 449: private->destroy(private); 450: } 451: else 452: { 453: DBG1(DBG_IKE, "no private key found for '%Y'", id); 454: } 455: } 456: } 457: return method; 458: } 459: 460: /** 461: * Calculate authentication method from a peer config 462: */ 463: static auth_method_t calc_auth_method(private_phase1_t *this, 464: peer_cfg_t *peer_cfg) 465: { 466: auth_class_t i1, i2, r1, r2; 467: 468: get_auth_class(peer_cfg, this->initiator, &i1, &i2); 469: get_auth_class(peer_cfg, !this->initiator, &r1, &r2); 470: 471: if (i1 == AUTH_CLASS_PUBKEY && r1 == AUTH_CLASS_PUBKEY) 472: { 473: if (i2 == AUTH_CLASS_ANY && r2 == AUTH_CLASS_ANY) 474: { 475: /* for any pubkey method, return RSA */ 476: return AUTH_RSA; 477: } 478: if (i2 == AUTH_CLASS_XAUTH) 479: { 480: return AUTH_XAUTH_INIT_RSA; 481: } 482: if (r2 == AUTH_CLASS_XAUTH) 483: { 484: return AUTH_XAUTH_RESP_RSA; 485: } 486: } 487: if (i1 == AUTH_CLASS_PSK && r1 == AUTH_CLASS_PSK) 488: { 489: if (i2 == AUTH_CLASS_ANY && r2 == AUTH_CLASS_ANY) 490: { 491: return AUTH_PSK; 492: } 493: if (i2 == AUTH_CLASS_XAUTH) 494: { 495: return AUTH_XAUTH_INIT_PSK; 496: } 497: if (r2 == AUTH_CLASS_XAUTH) 498: { 499: return AUTH_XAUTH_RESP_PSK; 500: } 501: } 502: if (i1 == AUTH_CLASS_XAUTH && r1 == AUTH_CLASS_PUBKEY && 503: i2 == AUTH_CLASS_ANY && r2 == AUTH_CLASS_ANY) 504: { 505: return AUTH_HYBRID_INIT_RSA; 506: } 507: return AUTH_NONE; 508: } 509: 510: METHOD(phase1_t, get_auth_method, auth_method_t, 511: private_phase1_t *this, peer_cfg_t *peer_cfg) 512: { 513: auth_method_t method; 514: 515: method = calc_auth_method(this, peer_cfg); 516: if (method == AUTH_RSA) 517: { 518: return get_pubkey_method(this, get_auth_cfg(peer_cfg, TRUE)); 519: } 520: return method; 521: } 522: 523: /** 524: * Check if a peer config can be used with a given auth method 525: */ 526: static bool check_auth_method(private_phase1_t *this, peer_cfg_t *peer_cfg, 527: auth_method_t given) 528: { 529: auth_method_t method; 530: 531: method = calc_auth_method(this, peer_cfg); 532: switch (given) 533: { 534: case AUTH_ECDSA_256: 535: case AUTH_ECDSA_384: 536: case AUTH_ECDSA_521: 537: return method == AUTH_RSA; 538: default: 539: return method == given; 540: } 541: } 542: 543: METHOD(phase1_t, select_config, peer_cfg_t*, 544: private_phase1_t *this, auth_method_t method, bool aggressive, 545: identification_t *id) 546: { 547: enumerator_t *enumerator; 548: peer_cfg_t *current; 549: host_t *me, *other; 550: int unusable = 0; 551: 552: if (this->peer_cfg) 553: { /* try to find an alternative config */ 554: if (this->candidates->remove_first(this->candidates, 555: (void**)¤t) != SUCCESS) 556: { 557: DBG1(DBG_CFG, "no alternative config found"); 558: return NULL; 559: } 560: DBG1(DBG_CFG, "switching to peer config '%s'", 561: current->get_name(current)); 562: return current; 563: } 564: 565: me = this->ike_sa->get_my_host(this->ike_sa); 566: other = this->ike_sa->get_other_host(this->ike_sa); 567: DBG1(DBG_CFG, "looking for %N peer configs matching %H...%H[%Y]", 568: auth_method_names, method, me, other, id); 569: enumerator = charon->backends->create_peer_cfg_enumerator(charon->backends, 570: me, other, NULL, id, IKEV1); 571: while (enumerator->enumerate(enumerator, ¤t)) 572: { 573: if (check_auth_method(this, current, method) && 574: current->use_aggressive(current) == aggressive) 575: { 576: current->get_ref(current); 577: if (!this->peer_cfg) 578: { 579: this->peer_cfg = current; 580: } 581: else 582: { 583: this->candidates->insert_last(this->candidates, current); 584: } 585: } 586: else 587: { 588: unusable++; 589: } 590: } 591: enumerator->destroy(enumerator); 592: 593: if (this->peer_cfg) 594: { 595: DBG1(DBG_CFG, "selected peer config \"%s\"", 596: this->peer_cfg->get_name(this->peer_cfg)); 597: return this->peer_cfg->get_ref(this->peer_cfg); 598: } 599: if (unusable) 600: { 601: DBG1(DBG_IKE, "found %d matching config%s, but none allows %N " 602: "authentication using %s Mode", unusable, unusable > 1 ? "s" : "", 603: auth_method_names, method, aggressive ? "Aggressive" : "Main"); 604: return NULL; 605: } 606: DBG1(DBG_IKE, "no peer config found"); 607: return NULL; 608: } 609: 610: METHOD(phase1_t, get_id, identification_t*, 611: private_phase1_t *this, peer_cfg_t *peer_cfg, bool local) 612: { 613: identification_t *id = NULL; 614: auth_cfg_t *auth; 615: 616: auth = get_auth_cfg(peer_cfg, local); 617: if (auth) 618: { 619: id = auth->get(auth, AUTH_RULE_IDENTITY); 620: if (local && (!id || id->get_type(id) == ID_ANY)) 621: { /* no ID configured, use local IP address */ 622: host_t *me; 623: 624: me = this->ike_sa->get_my_host(this->ike_sa); 625: if (!me->is_anyaddr(me)) 626: { 627: id = identification_create_from_sockaddr(me->get_sockaddr(me)); 1.1.1.2 ! misho 628: auth = this->ike_sa->get_auth_cfg(this->ike_sa, TRUE); 1.1 misho 629: auth->add(auth, AUTH_RULE_IDENTITY, id); 630: } 631: } 632: } 633: return id; 634: } 635: 636: METHOD(phase1_t, has_virtual_ip, bool, 637: private_phase1_t *this, peer_cfg_t *peer_cfg) 638: { 639: enumerator_t *enumerator; 640: bool found = FALSE; 641: host_t *host; 642: 643: enumerator = peer_cfg->create_virtual_ip_enumerator(peer_cfg); 644: found = enumerator->enumerate(enumerator, &host); 645: enumerator->destroy(enumerator); 646: 647: return found; 648: } 649: 650: METHOD(phase1_t, has_pool, bool, 651: private_phase1_t *this, peer_cfg_t *peer_cfg) 652: { 653: enumerator_t *enumerator; 654: bool found = FALSE; 655: char *pool; 656: 657: enumerator = peer_cfg->create_pool_enumerator(peer_cfg); 658: found = enumerator->enumerate(enumerator, &pool); 659: enumerator->destroy(enumerator); 660: 661: return found; 662: } 663: 664: METHOD(phase1_t, save_sa_payload, bool, 665: private_phase1_t *this, message_t *message) 666: { 667: enumerator_t *enumerator; 668: payload_t *payload, *sa = NULL; 669: chunk_t data; 670: size_t offset = IKE_HEADER_LENGTH; 671: 672: enumerator = message->create_payload_enumerator(message); 673: while (enumerator->enumerate(enumerator, &payload)) 674: { 675: if (payload->get_type(payload) == PLV1_SECURITY_ASSOCIATION) 676: { 677: sa = payload; 678: break; 679: } 680: else 681: { 682: offset += payload->get_length(payload); 683: } 684: } 685: enumerator->destroy(enumerator); 686: 687: data = message->get_packet_data(message); 688: if (sa && data.len >= offset + sa->get_length(sa)) 689: { 690: /* Get SA payload without 4 byte fixed header */ 691: data = chunk_skip(data, offset); 692: data.len = sa->get_length(sa); 693: data = chunk_skip(data, 4); 694: this->sa_payload = chunk_clone(data); 695: return TRUE; 696: } 697: DBG1(DBG_IKE, "unable to extract SA payload encoding"); 698: return FALSE; 699: } 700: 701: METHOD(phase1_t, add_nonce_ke, bool, 702: private_phase1_t *this, message_t *message) 703: { 704: nonce_payload_t *nonce_payload; 705: ke_payload_t *ke_payload; 706: nonce_gen_t *nonceg; 707: chunk_t nonce; 708: 709: ke_payload = ke_payload_create_from_diffie_hellman(PLV1_KEY_EXCHANGE, 710: this->dh); 711: if (!ke_payload) 712: { 713: DBG1(DBG_IKE, "creating KE payload failed"); 714: return FALSE; 715: } 716: message->add_payload(message, &ke_payload->payload_interface); 717: 718: nonceg = this->keymat->keymat.create_nonce_gen(&this->keymat->keymat); 719: if (!nonceg) 720: { 721: DBG1(DBG_IKE, "no nonce generator found to create nonce"); 722: return FALSE; 723: } 724: if (!nonceg->allocate_nonce(nonceg, NONCE_SIZE, &nonce)) 725: { 726: DBG1(DBG_IKE, "nonce allocation failed"); 727: nonceg->destroy(nonceg); 728: return FALSE; 729: } 730: nonceg->destroy(nonceg); 731: 732: nonce_payload = nonce_payload_create(PLV1_NONCE); 733: nonce_payload->set_nonce(nonce_payload, nonce); 734: message->add_payload(message, &nonce_payload->payload_interface); 735: 736: if (this->initiator) 737: { 738: this->nonce_i = nonce; 739: } 740: else 741: { 742: this->nonce_r = nonce; 743: } 744: return TRUE; 745: } 746: 747: METHOD(phase1_t, get_nonce_ke, bool, 748: private_phase1_t *this, message_t *message) 749: { 750: nonce_payload_t *nonce_payload; 751: ke_payload_t *ke_payload; 752: 753: ke_payload = (ke_payload_t*)message->get_payload(message, PLV1_KEY_EXCHANGE); 754: if (!ke_payload) 755: { 756: DBG1(DBG_IKE, "KE payload missing in message"); 757: return FALSE; 758: } 759: this->dh_value = chunk_clone(ke_payload->get_key_exchange_data(ke_payload)); 760: if (!this->dh->set_other_public_value(this->dh, this->dh_value)) 761: { 762: DBG1(DBG_IKE, "unable to apply received KE value"); 763: return FALSE; 764: } 765: 766: nonce_payload = (nonce_payload_t*)message->get_payload(message, PLV1_NONCE); 767: if (!nonce_payload) 768: { 769: DBG1(DBG_IKE, "NONCE payload missing in message"); 770: return FALSE; 771: } 772: 773: if (this->initiator) 774: { 775: this->nonce_r = nonce_payload->get_nonce(nonce_payload); 776: } 777: else 778: { 779: this->nonce_i = nonce_payload->get_nonce(nonce_payload); 780: } 781: return TRUE; 782: } 783: 784: METHOD(phase1_t, destroy, void, 785: private_phase1_t *this) 786: { 787: DESTROY_IF(this->peer_cfg); 788: this->candidates->destroy_offset(this->candidates, 789: offsetof(peer_cfg_t, destroy)); 790: chunk_free(&this->sa_payload); 791: DESTROY_IF(this->dh); 792: free(this->dh_value.ptr); 793: free(this->nonce_i.ptr); 794: free(this->nonce_r.ptr); 795: free(this); 796: } 797: 798: /** 799: * See header 800: */ 801: phase1_t *phase1_create(ike_sa_t *ike_sa, bool initiator) 802: { 803: private_phase1_t *this; 804: 805: INIT(this, 806: .public = { 807: .create_hasher = _create_hasher, 808: .create_dh = _create_dh, 809: .derive_keys = _derive_keys, 810: .get_auth_method = _get_auth_method, 811: .get_id = _get_id, 812: .select_config = _select_config, 813: .has_virtual_ip = _has_virtual_ip, 814: .has_pool = _has_pool, 815: .verify_auth = _verify_auth, 816: .build_auth = _build_auth, 817: .save_sa_payload = _save_sa_payload, 818: .add_nonce_ke = _add_nonce_ke, 819: .get_nonce_ke = _get_nonce_ke, 820: .destroy = _destroy, 821: }, 822: .candidates = linked_list_create(), 823: .ike_sa = ike_sa, 824: .initiator = initiator, 825: .keymat = (keymat_v1_t*)ike_sa->get_keymat(ike_sa), 826: ); 827: 828: return &this->public; 829: }