![[BACK]](/icons/cvsweb/back.gif){kind=icon}
Return to phase1.c CVS log ![[TXT]](/icons/cvsweb/text.gif){kind=icon}
![[DIR]](/icons/cvsweb/dir.gif){kind=icon}
Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / strongswan / src / libcharon / sa / ikev1|
Return to phase1.c CVS log | Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / strongswan / src / libcharon / sa / ikev1 |
1.1 misho 1: /*
2: * Copyright (C) 2012-2017 Tobias Brunner
3: * HSR Hochschule fuer Technik Rapperswil
4: *
5: * Copyright (C) 2012 Martin Willi
6: * Copyright (C) 2012 revosec AG
7: *
8: * This program is free software; you can redistribute it and/or modify it
9: * under the terms of the GNU General Public License as published by the
10: * Free Software Foundation; either version 2 of the License, or (at your
11: * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
12: *
13: * This program is distributed in the hope that it will be useful, but
14: * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
15: * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
16: * for more details.
17: */
18:
19: #include "phase1.h"
20:
21: #include <daemon.h>
22: #include <sa/ikev1/keymat_v1.h>
23: #include <encoding/payloads/ke_payload.h>
24: #include <encoding/payloads/nonce_payload.h>
25: #include <collections/linked_list.h>
26:
27: typedef struct private_phase1_t private_phase1_t;
28:
29: /**
30: * Private data of an phase1_t object.
31: */
32: struct private_phase1_t {
33:
34: /**
35: * Public phase1_t interface.
36: */
37: phase1_t public;
38:
39: /**
40: * IKE_SA we negotiate
41: */
42: ike_sa_t *ike_sa;
43:
44: /**
45: * Currently selected peer config
46: */
47: peer_cfg_t *peer_cfg;
48:
49: /**
50: * Other possible peer config candidates
51: */
52: linked_list_t *candidates;
53:
54: /**
55: * Acting as initiator
56: */
57: bool initiator;
58:
59: /**
60: * Extracted SA payload bytes
61: */
62: chunk_t sa_payload;
63:
64: /**
65: * DH exchange
66: */
67: diffie_hellman_t *dh;
68:
69: /**
70: * Keymat derivation (from SA)
71: */
72: keymat_v1_t *keymat;
73:
74: /**
75: * Received public DH value from peer
76: */
77: chunk_t dh_value;
78:
79: /**
80: * Initiators nonce
81: */
82: chunk_t nonce_i;
83:
84: /**
85: * Responder nonce
86: */
87: chunk_t nonce_r;
88: };
89:
90: /**
91: * Get the first authentication config from peer config
92: */
93: static auth_cfg_t *get_auth_cfg(peer_cfg_t *peer_cfg, bool local)
94: {
95: enumerator_t *enumerator;
96: auth_cfg_t *cfg = NULL;
97:
98: enumerator = peer_cfg->create_auth_cfg_enumerator(peer_cfg, local);
99: enumerator->enumerate(enumerator, &cfg);
100: enumerator->destroy(enumerator);
101: return cfg;
102: }
103:
104: /**
105: * Find a shared key for the given identities
106: */
107: static shared_key_t *find_shared_key(identification_t *my_id, host_t *me,
108: identification_t *other_id, host_t *other)
109: {
110: identification_t *any_id = NULL;
111: shared_key_t *shared_key;
112:
113: if (!other_id)
114: {
115: any_id = identification_create_from_encoding(ID_ANY, chunk_empty);
116: other_id = any_id;
117: }
118: shared_key = lib->credmgr->get_shared(lib->credmgr, SHARED_IKE,
119: my_id, other_id);
120: if (!shared_key)
121: {
122: DBG1(DBG_IKE, "no shared key found for '%Y'[%H] - '%Y'[%H]",
123: my_id, me, other_id, other);
124: }
125: DESTROY_IF(any_id);
126: return shared_key;
127: }
128:
129: /**
130: * Lookup a shared secret for this IKE_SA
131: */
132: static shared_key_t *lookup_shared_key(private_phase1_t *this,
133: peer_cfg_t *peer_cfg)
134: {
135: host_t *me, *other;
136: identification_t *my_id, *other_id;
137: shared_key_t *shared_key = NULL;
138: auth_cfg_t *my_auth, *other_auth;
139: enumerator_t *enumerator;
140:
141: me = this->ike_sa->get_my_host(this->ike_sa);
142: other = this->ike_sa->get_other_host(this->ike_sa);
143:
144: if (peer_cfg)
145: { /* as initiator or aggressive responder, use identities */
146: other_auth = get_auth_cfg(peer_cfg, FALSE);
1.1.1.2 ! misho 147: if (other_auth)
1.1 misho 148: {
1.1.1.2 ! misho 149: my_id = this->ike_sa->get_my_id(this->ike_sa);
1.1 misho 150: if (peer_cfg->use_aggressive(peer_cfg))
151: {
152: other_id = this->ike_sa->get_other_id(this->ike_sa);
153: }
154: else
155: {
156: other_id = other_auth->get(other_auth, AUTH_RULE_IDENTITY);
157: }
1.1.1.2 ! misho 158: shared_key = find_shared_key(my_id, me, other_id, other);
1.1 misho 159: }
160: }
161: else
162: { /* as responder, we try to find a config by IP addresses and use the
163: * configured identities to find the PSK */
164: enumerator = charon->backends->create_peer_cfg_enumerator(
165: charon->backends, me, other, NULL, NULL, IKEV1);
166: while (enumerator->enumerate(enumerator, &peer_cfg))
167: {
168: my_auth = get_auth_cfg(peer_cfg, TRUE);
169: other_auth = get_auth_cfg(peer_cfg, FALSE);
170: if (my_auth && other_auth)
171: {
172: my_id = my_auth->get(my_auth, AUTH_RULE_IDENTITY);
173: other_id = other_auth->get(other_auth, AUTH_RULE_IDENTITY);
174: if (my_id)
175: {
176: shared_key = find_shared_key(my_id, me, other_id, other);
177: if (shared_key)
178: {
179: break;
180: }
181: }
182: }
183: }
184: enumerator->destroy(enumerator);
185: }
186: if (!shared_key)
187: { /* try to get a PSK for IP addresses */
188: my_id = identification_create_from_sockaddr(me->get_sockaddr(me));
189: other_id = identification_create_from_sockaddr(
190: other->get_sockaddr(other));
191: if (my_id && other_id)
192: {
193: shared_key = lib->credmgr->get_shared(lib->credmgr, SHARED_IKE,
194: my_id, other_id);
195: }
196: DESTROY_IF(my_id);
197: DESTROY_IF(other_id);
198: if (!shared_key)
199: {
200: DBG1(DBG_IKE, "no shared key found for %H - %H", me, other);
201: }
202: }
203: return shared_key;
204: }
205:
206: METHOD(phase1_t, create_hasher, bool,
207: private_phase1_t *this)
208: {
209: return this->keymat->create_hasher(this->keymat,
210: this->ike_sa->get_proposal(this->ike_sa));
211: }
212:
213: METHOD(phase1_t, create_dh, bool,
214: private_phase1_t *this, diffie_hellman_group_t group)
215: {
216: this->dh = this->keymat->keymat.create_dh(&this->keymat->keymat, group);
217: return this->dh != NULL;
218: }
219:
220: METHOD(phase1_t, derive_keys, bool,
221: private_phase1_t *this, peer_cfg_t *peer_cfg, auth_method_t method)
222: {
223: shared_key_t *shared_key = NULL;
224:
225: switch (method)
226: {
227: case AUTH_PSK:
228: case AUTH_XAUTH_INIT_PSK:
229: case AUTH_XAUTH_RESP_PSK:
230: shared_key = lookup_shared_key(this, peer_cfg);
231: if (!shared_key)
232: {
233: return FALSE;
234: }
235: break;
236: default:
237: break;
238: }
239:
240: if (!this->keymat->derive_ike_keys(this->keymat,
241: this->ike_sa->get_proposal(this->ike_sa),
242: this->dh, this->dh_value, this->nonce_i, this->nonce_r,
243: this->ike_sa->get_id(this->ike_sa), method, shared_key))
244: {
245: DESTROY_IF(shared_key);
246: DBG1(DBG_IKE, "key derivation for %N failed", auth_method_names, method);
247: return FALSE;
248: }
249: charon->bus->ike_keys(charon->bus, this->ike_sa, this->dh, this->dh_value,
250: this->nonce_i, this->nonce_r, NULL, shared_key,
251: method);
252: DESTROY_IF(shared_key);
253: return TRUE;
254: }
255:
256: /**
257: * Check if a peer skipped authentication by using Hybrid authentication
258: */
259: static bool skipped_auth(private_phase1_t *this,
260: auth_method_t method, bool local)
261: {
262: bool initiator;
263:
264: initiator = local == this->initiator;
265: if (initiator && method == AUTH_HYBRID_INIT_RSA)
266: {
267: return TRUE;
268: }
269: if (!initiator && method == AUTH_HYBRID_RESP_RSA)
270: {
271: return TRUE;
272: }
273: return FALSE;
274: }
275:
276: /**
277: * Check if remote authentication constraints fulfilled
278: */
279: static bool check_constraints(private_phase1_t *this, auth_method_t method)
280: {
281: identification_t *id;
282: auth_cfg_t *auth, *cfg;
283: peer_cfg_t *peer_cfg;
284:
285: auth = this->ike_sa->get_auth_cfg(this->ike_sa, FALSE);
286: /* auth identity to comply */
287: id = this->ike_sa->get_other_id(this->ike_sa);
288: auth->add(auth, AUTH_RULE_IDENTITY, id->clone(id));
289: if (skipped_auth(this, method, FALSE))
290: {
291: return TRUE;
292: }
293: peer_cfg = this->ike_sa->get_peer_cfg(this->ike_sa);
294: cfg = get_auth_cfg(peer_cfg, FALSE);
295: return cfg && auth->complies(auth, cfg, TRUE);
296: }
297:
298: /**
299: * Save authentication information after authentication succeeded
300: */
301: static void save_auth_cfg(private_phase1_t *this,
302: auth_method_t method, bool local)
303: {
304: auth_cfg_t *auth;
305:
306: if (skipped_auth(this, method, local))
307: {
308: return;
309: }
310: auth = auth_cfg_create();
311: /* for local config, we _copy_ entries from the config, as it contains
312: * certificates we must send later. */
313: auth->merge(auth, this->ike_sa->get_auth_cfg(this->ike_sa, local), local);
314: this->ike_sa->add_auth_cfg(this->ike_sa, local, auth);
315: }
316:
317: /**
318: * Create an authenticator instance
319: */
320: static authenticator_t* create_authenticator(private_phase1_t *this,
321: auth_method_t method, chunk_t id)
322: {
323: authenticator_t *authenticator;
324:
325: authenticator = authenticator_create_v1(this->ike_sa, this->initiator,
326: method, this->dh, this->dh_value, this->sa_payload, id);
327: if (!authenticator)
328: {
329: DBG1(DBG_IKE, "negotiated authentication method %N not supported",
330: auth_method_names, method);
331: }
332: return authenticator;
333: }
334:
335: METHOD(phase1_t, verify_auth, bool,
336: private_phase1_t *this, auth_method_t method, message_t *message,
337: chunk_t id_data)
338: {
339: authenticator_t *authenticator;
340: status_t status;
341:
342: authenticator = create_authenticator(this, method, id_data);
343: if (authenticator)
344: {
345: status = authenticator->process(authenticator, message);
346: authenticator->destroy(authenticator);
347: if (status == SUCCESS && check_constraints(this, method))
348: {
349: save_auth_cfg(this, method, FALSE);
350: return TRUE;
351: }
352: }
353: return FALSE;
354: }
355:
356: METHOD(phase1_t, build_auth, bool,
357: private_phase1_t *this, auth_method_t method, message_t *message,
358: chunk_t id_data)
359: {
360: authenticator_t *authenticator;
361: status_t status;
362:
363: authenticator = create_authenticator(this, method, id_data);
364: if (authenticator)
365: {
366: status = authenticator->build(authenticator, message);
367: authenticator->destroy(authenticator);
368: if (status == SUCCESS)
369: {
370: save_auth_cfg(this, method, TRUE);
371: return TRUE;
372: }
373: }
374: return FALSE;
375: }
376:
377: /**
378: * Get the two auth classes from local or remote config
379: */
380: static void get_auth_class(peer_cfg_t *peer_cfg, bool local,
381: auth_class_t *c1, auth_class_t *c2)
382: {
383: enumerator_t *enumerator;
384: auth_cfg_t *auth;
385:
386: *c1 = *c2 = AUTH_CLASS_ANY;
387:
388: enumerator = peer_cfg->create_auth_cfg_enumerator(peer_cfg, local);
389: while (enumerator->enumerate(enumerator, &auth))
390: {
391: if (*c1 == AUTH_CLASS_ANY)
392: {
393: *c1 = (uintptr_t)auth->get(auth, AUTH_RULE_AUTH_CLASS);
394: }
395: else
396: {
397: *c2 = (uintptr_t)auth->get(auth, AUTH_RULE_AUTH_CLASS);
398: break;
399: }
400: }
401: enumerator->destroy(enumerator);
402: }
403:
404: /**
405: * Select an auth method to use by checking what key we have
406: */
407: static auth_method_t get_pubkey_method(private_phase1_t *this, auth_cfg_t *auth)
408: {
409: auth_method_t method = AUTH_NONE;
410: identification_t *id;
411: private_key_t *private;
412:
413: if (auth)
414: {
415: id = (identification_t*)auth->get(auth, AUTH_RULE_IDENTITY);
416: if (id)
417: {
418: private = lib->credmgr->get_private(lib->credmgr, KEY_ANY, id, NULL);
419: if (private)
420: {
421: switch (private->get_type(private))
422: {
423: case KEY_RSA:
424: method = AUTH_RSA;
425: break;
426: case KEY_ECDSA:
427: switch (private->get_keysize(private))
428: {
429: case 256:
430: method = AUTH_ECDSA_256;
431: break;
432: case 384:
433: method = AUTH_ECDSA_384;
434: break;
435: case 521:
436: method = AUTH_ECDSA_521;
437: break;
438: default:
439: DBG1(DBG_IKE, "%d bit ECDSA private key size not "
440: "supported", private->get_keysize(private));
441: break;
442: }
443: break;
444: default:
445: DBG1(DBG_IKE, "private key of type %N not supported",
446: key_type_names, private->get_type(private));
447: break;
448: }
449: private->destroy(private);
450: }
451: else
452: {
453: DBG1(DBG_IKE, "no private key found for '%Y'", id);
454: }
455: }
456: }
457: return method;
458: }
459:
460: /**
461: * Calculate authentication method from a peer config
462: */
463: static auth_method_t calc_auth_method(private_phase1_t *this,
464: peer_cfg_t *peer_cfg)
465: {
466: auth_class_t i1, i2, r1, r2;
467:
468: get_auth_class(peer_cfg, this->initiator, &i1, &i2);
469: get_auth_class(peer_cfg, !this->initiator, &r1, &r2);
470:
471: if (i1 == AUTH_CLASS_PUBKEY && r1 == AUTH_CLASS_PUBKEY)
472: {
473: if (i2 == AUTH_CLASS_ANY && r2 == AUTH_CLASS_ANY)
474: {
475: /* for any pubkey method, return RSA */
476: return AUTH_RSA;
477: }
478: if (i2 == AUTH_CLASS_XAUTH)
479: {
480: return AUTH_XAUTH_INIT_RSA;
481: }
482: if (r2 == AUTH_CLASS_XAUTH)
483: {
484: return AUTH_XAUTH_RESP_RSA;
485: }
486: }
487: if (i1 == AUTH_CLASS_PSK && r1 == AUTH_CLASS_PSK)
488: {
489: if (i2 == AUTH_CLASS_ANY && r2 == AUTH_CLASS_ANY)
490: {
491: return AUTH_PSK;
492: }
493: if (i2 == AUTH_CLASS_XAUTH)
494: {
495: return AUTH_XAUTH_INIT_PSK;
496: }
497: if (r2 == AUTH_CLASS_XAUTH)
498: {
499: return AUTH_XAUTH_RESP_PSK;
500: }
501: }
502: if (i1 == AUTH_CLASS_XAUTH && r1 == AUTH_CLASS_PUBKEY &&
503: i2 == AUTH_CLASS_ANY && r2 == AUTH_CLASS_ANY)
504: {
505: return AUTH_HYBRID_INIT_RSA;
506: }
507: return AUTH_NONE;
508: }
509:
510: METHOD(phase1_t, get_auth_method, auth_method_t,
511: private_phase1_t *this, peer_cfg_t *peer_cfg)
512: {
513: auth_method_t method;
514:
515: method = calc_auth_method(this, peer_cfg);
516: if (method == AUTH_RSA)
517: {
518: return get_pubkey_method(this, get_auth_cfg(peer_cfg, TRUE));
519: }
520: return method;
521: }
522:
523: /**
524: * Check if a peer config can be used with a given auth method
525: */
526: static bool check_auth_method(private_phase1_t *this, peer_cfg_t *peer_cfg,
527: auth_method_t given)
528: {
529: auth_method_t method;
530:
531: method = calc_auth_method(this, peer_cfg);
532: switch (given)
533: {
534: case AUTH_ECDSA_256:
535: case AUTH_ECDSA_384:
536: case AUTH_ECDSA_521:
537: return method == AUTH_RSA;
538: default:
539: return method == given;
540: }
541: }
542:
543: METHOD(phase1_t, select_config, peer_cfg_t*,
544: private_phase1_t *this, auth_method_t method, bool aggressive,
545: identification_t *id)
546: {
547: enumerator_t *enumerator;
548: peer_cfg_t *current;
549: host_t *me, *other;
550: int unusable = 0;
551:
552: if (this->peer_cfg)
553: { /* try to find an alternative config */
554: if (this->candidates->remove_first(this->candidates,
555: (void**)¤t) != SUCCESS)
556: {
557: DBG1(DBG_CFG, "no alternative config found");
558: return NULL;
559: }
560: DBG1(DBG_CFG, "switching to peer config '%s'",
561: current->get_name(current));
562: return current;
563: }
564:
565: me = this->ike_sa->get_my_host(this->ike_sa);
566: other = this->ike_sa->get_other_host(this->ike_sa);
567: DBG1(DBG_CFG, "looking for %N peer configs matching %H...%H[%Y]",
568: auth_method_names, method, me, other, id);
569: enumerator = charon->backends->create_peer_cfg_enumerator(charon->backends,
570: me, other, NULL, id, IKEV1);
571: while (enumerator->enumerate(enumerator, ¤t))
572: {
573: if (check_auth_method(this, current, method) &&
574: current->use_aggressive(current) == aggressive)
575: {
576: current->get_ref(current);
577: if (!this->peer_cfg)
578: {
579: this->peer_cfg = current;
580: }
581: else
582: {
583: this->candidates->insert_last(this->candidates, current);
584: }
585: }
586: else
587: {
588: unusable++;
589: }
590: }
591: enumerator->destroy(enumerator);
592:
593: if (this->peer_cfg)
594: {
595: DBG1(DBG_CFG, "selected peer config \"%s\"",
596: this->peer_cfg->get_name(this->peer_cfg));
597: return this->peer_cfg->get_ref(this->peer_cfg);
598: }
599: if (unusable)
600: {
601: DBG1(DBG_IKE, "found %d matching config%s, but none allows %N "
602: "authentication using %s Mode", unusable, unusable > 1 ? "s" : "",
603: auth_method_names, method, aggressive ? "Aggressive" : "Main");
604: return NULL;
605: }
606: DBG1(DBG_IKE, "no peer config found");
607: return NULL;
608: }
609:
610: METHOD(phase1_t, get_id, identification_t*,
611: private_phase1_t *this, peer_cfg_t *peer_cfg, bool local)
612: {
613: identification_t *id = NULL;
614: auth_cfg_t *auth;
615:
616: auth = get_auth_cfg(peer_cfg, local);
617: if (auth)
618: {
619: id = auth->get(auth, AUTH_RULE_IDENTITY);
620: if (local && (!id || id->get_type(id) == ID_ANY))
621: { /* no ID configured, use local IP address */
622: host_t *me;
623:
624: me = this->ike_sa->get_my_host(this->ike_sa);
625: if (!me->is_anyaddr(me))
626: {
627: id = identification_create_from_sockaddr(me->get_sockaddr(me));
1.1.1.2 ! misho 628: auth = this->ike_sa->get_auth_cfg(this->ike_sa, TRUE);
1.1 misho 629: auth->add(auth, AUTH_RULE_IDENTITY, id);
630: }
631: }
632: }
633: return id;
634: }
635:
636: METHOD(phase1_t, has_virtual_ip, bool,
637: private_phase1_t *this, peer_cfg_t *peer_cfg)
638: {
639: enumerator_t *enumerator;
640: bool found = FALSE;
641: host_t *host;
642:
643: enumerator = peer_cfg->create_virtual_ip_enumerator(peer_cfg);
644: found = enumerator->enumerate(enumerator, &host);
645: enumerator->destroy(enumerator);
646:
647: return found;
648: }
649:
650: METHOD(phase1_t, has_pool, bool,
651: private_phase1_t *this, peer_cfg_t *peer_cfg)
652: {
653: enumerator_t *enumerator;
654: bool found = FALSE;
655: char *pool;
656:
657: enumerator = peer_cfg->create_pool_enumerator(peer_cfg);
658: found = enumerator->enumerate(enumerator, &pool);
659: enumerator->destroy(enumerator);
660:
661: return found;
662: }
663:
664: METHOD(phase1_t, save_sa_payload, bool,
665: private_phase1_t *this, message_t *message)
666: {
667: enumerator_t *enumerator;
668: payload_t *payload, *sa = NULL;
669: chunk_t data;
670: size_t offset = IKE_HEADER_LENGTH;
671:
672: enumerator = message->create_payload_enumerator(message);
673: while (enumerator->enumerate(enumerator, &payload))
674: {
675: if (payload->get_type(payload) == PLV1_SECURITY_ASSOCIATION)
676: {
677: sa = payload;
678: break;
679: }
680: else
681: {
682: offset += payload->get_length(payload);
683: }
684: }
685: enumerator->destroy(enumerator);
686:
687: data = message->get_packet_data(message);
688: if (sa && data.len >= offset + sa->get_length(sa))
689: {
690: /* Get SA payload without 4 byte fixed header */
691: data = chunk_skip(data, offset);
692: data.len = sa->get_length(sa);
693: data = chunk_skip(data, 4);
694: this->sa_payload = chunk_clone(data);
695: return TRUE;
696: }
697: DBG1(DBG_IKE, "unable to extract SA payload encoding");
698: return FALSE;
699: }
700:
701: METHOD(phase1_t, add_nonce_ke, bool,
702: private_phase1_t *this, message_t *message)
703: {
704: nonce_payload_t *nonce_payload;
705: ke_payload_t *ke_payload;
706: nonce_gen_t *nonceg;
707: chunk_t nonce;
708:
709: ke_payload = ke_payload_create_from_diffie_hellman(PLV1_KEY_EXCHANGE,
710: this->dh);
711: if (!ke_payload)
712: {
713: DBG1(DBG_IKE, "creating KE payload failed");
714: return FALSE;
715: }
716: message->add_payload(message, &ke_payload->payload_interface);
717:
718: nonceg = this->keymat->keymat.create_nonce_gen(&this->keymat->keymat);
719: if (!nonceg)
720: {
721: DBG1(DBG_IKE, "no nonce generator found to create nonce");
722: return FALSE;
723: }
724: if (!nonceg->allocate_nonce(nonceg, NONCE_SIZE, &nonce))
725: {
726: DBG1(DBG_IKE, "nonce allocation failed");
727: nonceg->destroy(nonceg);
728: return FALSE;
729: }
730: nonceg->destroy(nonceg);
731:
732: nonce_payload = nonce_payload_create(PLV1_NONCE);
733: nonce_payload->set_nonce(nonce_payload, nonce);
734: message->add_payload(message, &nonce_payload->payload_interface);
735:
736: if (this->initiator)
737: {
738: this->nonce_i = nonce;
739: }
740: else
741: {
742: this->nonce_r = nonce;
743: }
744: return TRUE;
745: }
746:
747: METHOD(phase1_t, get_nonce_ke, bool,
748: private_phase1_t *this, message_t *message)
749: {
750: nonce_payload_t *nonce_payload;
751: ke_payload_t *ke_payload;
752:
753: ke_payload = (ke_payload_t*)message->get_payload(message, PLV1_KEY_EXCHANGE);
754: if (!ke_payload)
755: {
756: DBG1(DBG_IKE, "KE payload missing in message");
757: return FALSE;
758: }
759: this->dh_value = chunk_clone(ke_payload->get_key_exchange_data(ke_payload));
760: if (!this->dh->set_other_public_value(this->dh, this->dh_value))
761: {
762: DBG1(DBG_IKE, "unable to apply received KE value");
763: return FALSE;
764: }
765:
766: nonce_payload = (nonce_payload_t*)message->get_payload(message, PLV1_NONCE);
767: if (!nonce_payload)
768: {
769: DBG1(DBG_IKE, "NONCE payload missing in message");
770: return FALSE;
771: }
772:
773: if (this->initiator)
774: {
775: this->nonce_r = nonce_payload->get_nonce(nonce_payload);
776: }
777: else
778: {
779: this->nonce_i = nonce_payload->get_nonce(nonce_payload);
780: }
781: return TRUE;
782: }
783:
784: METHOD(phase1_t, destroy, void,
785: private_phase1_t *this)
786: {
787: DESTROY_IF(this->peer_cfg);
788: this->candidates->destroy_offset(this->candidates,
789: offsetof(peer_cfg_t, destroy));
790: chunk_free(&this->sa_payload);
791: DESTROY_IF(this->dh);
792: free(this->dh_value.ptr);
793: free(this->nonce_i.ptr);
794: free(this->nonce_r.ptr);
795: free(this);
796: }
797:
798: /**
799: * See header
800: */
801: phase1_t *phase1_create(ike_sa_t *ike_sa, bool initiator)
802: {
803: private_phase1_t *this;
804:
805: INIT(this,
806: .public = {
807: .create_hasher = _create_hasher,
808: .create_dh = _create_dh,
809: .derive_keys = _derive_keys,
810: .get_auth_method = _get_auth_method,
811: .get_id = _get_id,
812: .select_config = _select_config,
813: .has_virtual_ip = _has_virtual_ip,
814: .has_pool = _has_pool,
815: .verify_auth = _verify_auth,
816: .build_auth = _build_auth,
817: .save_sa_payload = _save_sa_payload,
818: .add_nonce_ke = _add_nonce_ke,
819: .get_nonce_ke = _get_nonce_ke,
820: .destroy = _destroy,
821: },
822: .candidates = linked_list_create(),
823: .ike_sa = ike_sa,
824: .initiator = initiator,
825: .keymat = (keymat_v1_t*)ike_sa->get_keymat(ike_sa),
826: );
827:
828: return &this->public;
829: }