Refactored NONCE payload handling in quick mode

author: Martin Willi <martin@revosec.ch> 2011-11-24 09:51:40 +0100
committer: Martin Willi <martin@revosec.ch> 2012-03-20 17:30:51 +0100
commit: 818330aafed8cae07c3232d25e70b2a7eafe6766 (patch)
tree: 9ce26e7df33f154ed12d17fcadde94838e0c4b70
parent: 78f7728c3041011f0b4aac89454774874b6a348b (diff)
download: strongswan-818330aafed8cae07c3232d25e70b2a7eafe6766.tar.bz2
strongswan-818330aafed8cae07c3232d25e70b2a7eafe6766.tar.xz
1 files changed, 48 insertions, 47 deletions
diff --git a/src/libcharon/sa/tasks/quick_mode.c b/src/libcharon/sa/tasks/quick_mode.c
index 0c4e18c1c..70bde9086 100644
--- a/src/libcharon/sa/tasks/quick_mode.c
+++ b/src/libcharon/sa/tasks/quick_mode.c
@@ -197,6 +197,50 @@ static bool install(private_quick_mode_t *this)
 	return TRUE;
 }
 
+/**
+ * Generate and add NONCE
+ */
+static bool add_nonce(private_quick_mode_t *this, chunk_t *nonce,
+					  message_t *message)
+{
+	nonce_payload_t *nonce_payload;
+	rng_t *rng;
+
+	rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
+	if (!rng)
+	{
+		DBG1(DBG_IKE, "no RNG found to create nonce");
+		return FALSE;
+	}
+	rng->allocate_bytes(rng, NONCE_SIZE, nonce);
+	rng->destroy(rng);
+
+	nonce_payload = nonce_payload_create(NONCE_V1);
+	nonce_payload->set_nonce(nonce_payload, *nonce);
+	message->add_payload(message, &nonce_payload->payload_interface);
+
+	return TRUE;
+}
+
+/**
+ * Extract nonce from NONCE payload
+ */
+static bool get_nonce(private_quick_mode_t *this, chunk_t *nonce,
+					  message_t *message)
+{
+	nonce_payload_t *nonce_payload;
+
+	nonce_payload = (nonce_payload_t*)message->get_payload(message, NONCE_V1);
+	if (!nonce_payload)
+	{
+		DBG1(DBG_IKE, "NONCE payload missing in message");
+		return FALSE;
+	}
+	*nonce = nonce_payload->get_nonce(nonce_payload);
+
+	return TRUE;
+}
+
 METHOD(task_t, build_i, status_t,
 	private_quick_mode_t *this, message_t *message)
 {
@@ -206,12 +250,10 @@ METHOD(task_t, build_i, status_t,
 		{
 			enumerator_t *enumerator;
 			sa_payload_t *sa_payload;
-			nonce_payload_t *nonce_payload;
 			id_payload_t *id_payload;
 			traffic_selector_t *ts;
 			linked_list_t *list;
 			proposal_t *proposal;
-			rng_t *rng;
 
 			this->child_sa = child_sa_create(
 									this->ike_sa->get_my_host(this->ike_sa),
@@ -238,17 +280,10 @@ METHOD(task_t, build_i, status_t,
 			list->destroy_offset(list, offsetof(proposal_t, destroy));
 			message->add_payload(message, &sa_payload->payload_interface);
 
-			rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
-			if (!rng)
+			if (!add_nonce(this, &this->nonce_i, message))
 			{
-				DBG1(DBG_IKE, "no RNG found to create nonce");
 				return FAILED;
 			}
-			rng->allocate_bytes(rng, NONCE_SIZE, &this->nonce_i);
-			rng->destroy(rng);
-			nonce_payload = nonce_payload_create(NONCE_V1);
-			nonce_payload->set_nonce(nonce_payload, this->nonce_i);
-			message->add_payload(message, &nonce_payload->payload_interface);
 
 			list = this->config->get_traffic_selectors(this->config, TRUE, NULL,
 									this->ike_sa->get_my_host(this->ike_sa));
@@ -276,13 +311,10 @@ METHOD(task_t, build_i, status_t,
 			list->destroy_offset(list, offsetof(traffic_selector_t, destroy));
 			message->add_payload(message, &id_payload->payload_interface);
 
-			/* TODO-IKEv1: Add HASH(1) */
-
 			return NEED_MORE;
 		}
 		case QM_NEGOTIATED:
 		{
-			/* TODO-IKEv1: Send HASH(3) */
 			return SUCCESS;
 		}
 		default:
@@ -298,7 +330,6 @@ METHOD(task_t, process_r, status_t,
 		case QM_INIT:
 		{
 			sa_payload_t *sa_payload;
-			nonce_payload_t *nonce_payload;
 			id_payload_t *id_payload;
 			payload_t *payload;
 			linked_list_t *tsi, *tsr, *list;
@@ -384,17 +415,10 @@ METHOD(task_t, process_r, status_t,
 			}
 			this->spi_i = this->proposal->get_spi(this->proposal);
 
-			nonce_payload = (nonce_payload_t*)message->get_payload(message,
-																   NONCE_V1);
-			if (!nonce_payload)
+			if (!get_nonce(this, &this->nonce_i, message))
 			{
-				DBG1(DBG_IKE, "Nonce payload missing");
 				return FAILED;
 			}
-			this->nonce_i = nonce_payload->get_nonce(nonce_payload);
-
-			/* TODO-IKEv1: verify HASH(1) */
-
 			this->child_sa = child_sa_create(
 									this->ike_sa->get_my_host(this->ike_sa),
 									this->ike_sa->get_other_host(this->ike_sa),
@@ -403,13 +427,10 @@ METHOD(task_t, process_r, status_t,
 		}
 		case QM_NEGOTIATED:
 		{
-			/* TODO-IKEv1: verify HASH(3) */
-
 			if (!install(this))
 			{
 				return FAILED;
 			}
-
 			return SUCCESS;
 		}
 		default:
@@ -425,9 +446,7 @@ METHOD(task_t, build_r, status_t,
 		case QM_INIT:
 		{
 			sa_payload_t *sa_payload;
-			nonce_payload_t *nonce_payload;
 			id_payload_t *id_payload;
-			rng_t *rng;
 
 			this->spi_r = this->child_sa->alloc_spi(this->child_sa, PROTO_ESP);
 			if (!this->spi_r)
@@ -441,25 +460,16 @@ METHOD(task_t, build_r, status_t,
 									SECURITY_ASSOCIATION_V1, this->proposal);
 			message->add_payload(message, &sa_payload->payload_interface);
 
-			rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
-			if (!rng)
+			if (!add_nonce(this, &this->nonce_r, message))
 			{
-				DBG1(DBG_IKE, "no RNG found to create nonce");
 				return FAILED;
 			}
-			rng->allocate_bytes(rng, NONCE_SIZE, &this->nonce_r);
-			rng->destroy(rng);
-			nonce_payload = nonce_payload_create(NONCE_V1);
-			nonce_payload->set_nonce(nonce_payload, this->nonce_r);
-			message->add_payload(message, &nonce_payload->payload_interface);
 
 			id_payload = id_payload_create_from_ts(this->tsi);
 			message->add_payload(message, &id_payload->payload_interface);
 			id_payload = id_payload_create_from_ts(this->tsr);
 			message->add_payload(message, &id_payload->payload_interface);
 
-			/* TODO-IKEv1: add HASH(2) */
-
 			this->state = QM_NEGOTIATED;
 			return NEED_MORE;
 		}
@@ -476,7 +486,6 @@ METHOD(task_t, process_i, status_t,
 		case QM_INIT:
 		{
 			sa_payload_t *sa_payload;
-			nonce_payload_t *nonce_payload;
 			id_payload_t *id_payload;
 			payload_t *payload;
 			traffic_selector_t *tsi = NULL, *tsr = NULL;
@@ -550,22 +559,14 @@ METHOD(task_t, process_i, status_t,
 			}
 			this->spi_r = this->proposal->get_spi(this->proposal);
 
-			nonce_payload = (nonce_payload_t*)message->get_payload(message,
-																   NONCE_V1);
-			if (!nonce_payload)
+			if (!get_nonce(this, &this->nonce_r, message))
 			{
-				DBG1(DBG_IKE, "Nonce payload missing");
 				return FAILED;
 			}
-			this->nonce_r = nonce_payload->get_nonce(nonce_payload);
-
-			/* TODO-IKEv1: verify HASH(2) */
-
 			if (!install(this))
 			{
 				return FAILED;
 			}
-
 			this->state = QM_NEGOTIATED;
 			return NEED_MORE;
 		}
author	Martin Willi <martin@revosec.ch>	2011-11-24 09:51:40 +0100
committer	Martin Willi <martin@revosec.ch>	2012-03-20 17:30:51 +0100
commit	818330aafed8cae07c3232d25e70b2a7eafe6766 (patch)
tree	9ce26e7df33f154ed12d17fcadde94838e0c4b70
parent	78f7728c3041011f0b4aac89454774874b6a348b (diff)
download	strongswan-818330aafed8cae07c3232d25e70b2a7eafe6766.tar.bz2 strongswan-818330aafed8cae07c3232d25e70b2a7eafe6766.tar.xz