aboutsummaryrefslogtreecommitdiffstats
path: root/Source/charon/sa/states
diff options
context:
space:
mode:
Diffstat (limited to 'Source/charon/sa/states')
-rw-r--r--Source/charon/sa/states/ike_auth_requested.c4
-rw-r--r--Source/charon/sa/states/ike_sa_init_requested.c137
-rw-r--r--Source/charon/sa/states/ike_sa_init_requested.h2
-rw-r--r--Source/charon/sa/states/ike_sa_init_responded.c6
-rw-r--r--Source/charon/sa/states/initiator_init.c69
-rw-r--r--Source/charon/sa/states/responder_init.c73
6 files changed, 130 insertions, 161 deletions
diff --git a/Source/charon/sa/states/ike_auth_requested.c b/Source/charon/sa/states/ike_auth_requested.c
index 60369ba28..e6559319c 100644
--- a/Source/charon/sa/states/ike_auth_requested.c
+++ b/Source/charon/sa/states/ike_auth_requested.c
@@ -326,14 +326,14 @@ static status_t process_idr_payload(private_ike_auth_requested_t *this, id_paylo
*/
static status_t process_sa_payload(private_ike_auth_requested_t *this, sa_payload_t *sa_payload)
{
- child_proposal_t *proposal, *proposal_tmp;
+ proposal_t *proposal, *proposal_tmp;
linked_list_t *proposal_list;
child_sa_t *child_sa;
chunk_t seed;
prf_plus_t *prf_plus;
/* get his selected proposal */
- proposal_list = sa_payload->get_child_proposals(sa_payload);
+ proposal_list = sa_payload->get_proposals(sa_payload);
/* check count of proposals */
if (proposal_list->get_count(proposal_list) == 0)
{
diff --git a/Source/charon/sa/states/ike_sa_init_requested.c b/Source/charon/sa/states/ike_sa_init_requested.c
index 7636ecbbe..327eb2d7c 100644
--- a/Source/charon/sa/states/ike_sa_init_requested.c
+++ b/Source/charon/sa/states/ike_sa_init_requested.c
@@ -70,17 +70,14 @@ struct private_ike_sa_init_requested_t {
chunk_t received_nonce;
/**
- * Packet data of ike_sa_init request
+ * Selected proposal
*/
- chunk_t ike_sa_init_request_data;
+ proposal_t *proposal;
/**
- * DH group priority used to get dh_group_number from configuration manager.
- *
- * Is passed to the next state object of type INITATOR_INIT if the selected group number
- * is not the same as in the peers selected proposal.
+ * Packet data of ike_sa_init request
*/
- u_int16_t dh_group_priority;
+ chunk_t ike_sa_init_request_data;
/**
* Assigned logger
@@ -329,7 +326,15 @@ static status_t process_message(private_ike_sa_init_requested_t *this, message_t
{
return status;
}
-
+
+ /* derive all the keys used in the IKE_SA */
+ status = this->ike_sa->build_transforms(this->ike_sa, this->proposal, this->diffie_hellman, this->sent_nonce, this->received_nonce);
+ if (status != SUCCESS)
+ {
+ this->logger->log(this->logger, AUDIT, "Transform objects could not be created from selected proposal. Deleting IKE_SA");
+ return DELETE_ME;
+ }
+
/* build empty message */
this->ike_sa->build_message(this->ike_sa, IKE_AUTH, TRUE, &request);
@@ -402,45 +407,39 @@ status_t process_nonce_payload (private_ike_sa_init_requested_t *this, nonce_pay
*/
status_t process_sa_payload (private_ike_sa_init_requested_t *this, sa_payload_t *sa_payload)
{
- ike_proposal_t selected_proposal;
- ike_proposal_t *ike_proposals;
+ proposal_t *proposal;
+ linked_list_t *proposal_list;
init_config_t *init_config;
- size_t proposal_count;
- status_t status;
init_config = this->ike_sa->get_init_config(this->ike_sa);
- /* get the list of selected proposals */
- status = sa_payload->get_ike_proposals (sa_payload, &ike_proposals,&proposal_count);
- if (status != SUCCESS)
+ /* get the list of selected proposals, the peer has to select only one proposal */
+ proposal_list = sa_payload->get_proposals (sa_payload);
+ if (proposal_list->get_count(proposal_list) != 1)
{
- this->logger->log(this->logger, AUDIT, "IKE_SA_INIT response did not contain any proposals. Deleting IKE_SA");
- return DELETE_ME;
+ this->logger->log(this->logger, AUDIT, "IKE_SA_INIT response did not contain a single proposal. Deleting IKE_SA");
+ while (proposal_list->remove_last(proposal_list, (void**)&proposal) == SUCCESS)
+ {
+ proposal->destroy(proposal);
+ }
+ proposal_list->destroy(proposal_list);
+ return DELETE_ME;
}
- /* the peer has to select only one proposal */
- if (proposal_count != 1)
+
+ /* we have to re-check if the others selection is valid */
+ this->proposal = init_config->select_proposal(init_config, proposal_list);
+ while (proposal_list->remove_last(proposal_list, (void**)&proposal) == SUCCESS)
{
- this->logger->log(this->logger, AUDIT, "IKE_SA_INIT response contained more than one proposal. Deleting IKE_SA");
- allocator_free(ike_proposals);
- return DELETE_ME;
+ proposal->destroy(proposal);
}
+ proposal_list->destroy(proposal_list);
- /* now let the configuration-manager check the selected proposals*/
- this->logger->log(this->logger, CONTROL | LEVEL2, "Check selected proposal");
- status = init_config->select_proposal (init_config,ike_proposals,1,&selected_proposal);
- allocator_free(ike_proposals);
- if (status != SUCCESS)
+ if (this->proposal == NULL)
{
this->logger->log(this->logger, AUDIT, "IKE_SA_INIT response contained selected proposal we did not offer. Deleting IKE_SA");
return DELETE_ME;
}
-
- status = this->ike_sa->create_transforms_from_proposal(this->ike_sa,&selected_proposal);
- if (status != SUCCESS)
- {
- this->logger->log(this->logger, AUDIT, "Transform objects could not be created from selected proposal. Deleting IKE_SA");
- return DELETE_ME;
- }
+
return SUCCESS;
}
@@ -448,24 +447,9 @@ status_t process_sa_payload (private_ike_sa_init_requested_t *this, sa_payload_t
* Implementation of private_ike_sa_init_requested_t.process_ke_payload.
*/
status_t process_ke_payload (private_ike_sa_init_requested_t *this, ke_payload_t *ke_payload)
-{
- chunk_t shared_secret;
- status_t status;
-
+{
this->diffie_hellman->set_other_public_value(this->diffie_hellman, ke_payload->get_key_exchange_data(ke_payload));
- /* store shared secret
- * status of dh object does not have to get checked cause other key is set
- */
- this->logger->log(this->logger, CONTROL | LEVEL2, "Retrieve shared secret and store it");
- status = this->diffie_hellman->get_shared_secret(this->diffie_hellman, &shared_secret);
- this->logger->log_chunk(this->logger, PRIVATE, "Shared secret", &shared_secret);
-
- this->logger->log(this->logger, CONTROL | LEVEL2, "Going to derive all secrets from shared secret");
- this->ike_sa->compute_secrets(this->ike_sa,shared_secret,this->sent_nonce, this->received_nonce);
-
- allocator_free_chunk(&(shared_secret));
-
return SUCCESS;
}
@@ -528,7 +512,7 @@ static status_t build_sa_payload (private_ike_sa_init_requested_t *this, message
/* get proposals form config, add to payload */
sa_config = this->ike_sa->get_sa_config(this->ike_sa);
proposal_list = sa_config->get_proposals(sa_config);
- sa_payload = sa_payload_create_from_child_proposal_list(proposal_list);
+ sa_payload = sa_payload_create_from_proposal_list(proposal_list);
/* TODO child sa stuff */
@@ -625,9 +609,25 @@ static status_t process_notify_payload(private_ike_sa_init_requested_t *this, no
case INVALID_KE_PAYLOAD:
{
initiator_init_t *initiator_init_state;
- u_int16_t new_dh_group_priority;
+ chunk_t notify_data;
+ diffie_hellman_group_t dh_group;
+ init_config_t *init_config;
+
+ notify_data = notify_payload->get_notification_data(notify_payload);
+ dh_group = ntohs(*((u_int16_t*)notify_data.ptr));
+
+ this->logger->log(this->logger, ERROR|LEVEL1, "Peer wouldn't accept DH group, it requested %s!",
+ mapping_find(diffie_hellman_group_m, dh_group));
+ /* check if we can accept this dh group */
+ init_config = this->ike_sa->get_init_config(this->ike_sa);
+ if (!init_config->check_dh_group(init_config, dh_group))
+ {
+ this->logger->log(this->logger, AUDIT,
+ "Peer does only accept DH group %s, which we do not accept! Aborting",
+ mapping_find(diffie_hellman_group_m, dh_group));
+ return DELETE_ME;
+ }
- this->logger->log(this->logger, ERROR|LEVEL1, "Selected DH group is not the one in the proposal selected by the responder!");
/* Going to change state back to initiator_init_t */
this->logger->log(this->logger, CONTROL|LEVEL2, "Create next state object");
initiator_init_state = initiator_init_create(this->ike_sa);
@@ -644,15 +644,13 @@ static status_t process_notify_payload(private_ike_sa_init_requested_t *this, no
this->logger->log(this->logger, CONTROL|LEVEL2, "Destroy old sate object");
this->logger->log(this->logger, CONTROL|LEVEL2, "Going to retry initialization of connection");
- new_dh_group_priority = this->dh_group_priority + 1;
this->public.state_interface.destroy(&(this->public.state_interface));
- if (initiator_init_state->retry_initiate_connection (initiator_init_state,new_dh_group_priority) != SUCCESS)
+ if (initiator_init_state->retry_initiate_connection (initiator_init_state, dh_group) != SUCCESS)
{
return DELETE_ME;
}
return FAILED;
-
}
default:
{
@@ -676,7 +674,6 @@ static status_t process_notify_payload(private_ike_sa_init_requested_t *this, no
}
}
-
/**
* Implementation of state_t.get_state.
*/
@@ -690,14 +687,13 @@ static ike_sa_state_t get_state(private_ike_sa_init_requested_t *this)
*/
static void destroy_after_state_change (private_ike_sa_init_requested_t *this)
{
- this->logger->log(this->logger, CONTROL | LEVEL3, "Going to destroy state of type ike_sa_init_requested_t after state change.");
-
- this->logger->log(this->logger, CONTROL | LEVEL3, "Destroy diffie hellman object");
this->diffie_hellman->destroy(this->diffie_hellman);
- this->logger->log(this->logger, CONTROL | LEVEL3, "Destroy ike_sa_init_request_data");
allocator_free_chunk(&(this->ike_sa_init_request_data));
- this->logger->log(this->logger, CONTROL | LEVEL3, "Destroy object itself");
- allocator_free(this);
+ if (this->proposal)
+ {
+ this->proposal->destroy(this->proposal);
+ }
+ allocator_free(this);
}
/**
@@ -705,24 +701,21 @@ static void destroy_after_state_change (private_ike_sa_init_requested_t *this)
*/
static void destroy(private_ike_sa_init_requested_t *this)
{
- this->logger->log(this->logger, CONTROL | LEVEL3, "Going to destroy state of type ike_sa_init_requested_t");
-
- this->logger->log(this->logger, CONTROL | LEVEL3, "Destroy diffie hellman object");
this->diffie_hellman->destroy(this->diffie_hellman);
- this->logger->log(this->logger, CONTROL | LEVEL3, "Destroy sent nonce");
allocator_free(this->sent_nonce.ptr);
- this->logger->log(this->logger, CONTROL | LEVEL3, "Destroy received nonce");
allocator_free(this->received_nonce.ptr);
- this->logger->log(this->logger, CONTROL | LEVEL3, "Destroy ike_sa_init_request_data");
allocator_free_chunk(&(this->ike_sa_init_request_data));
- this->logger->log(this->logger, CONTROL | LEVEL3, "Destroy object itself");
+ if (this->proposal)
+ {
+ this->proposal->destroy(this->proposal);
+ }
allocator_free(this);
}
/*
* Described in header.
*/
-ike_sa_init_requested_t *ike_sa_init_requested_create(protected_ike_sa_t *ike_sa, u_int16_t dh_group_priority, diffie_hellman_t *diffie_hellman, chunk_t sent_nonce,chunk_t ike_sa_init_request_data)
+ike_sa_init_requested_t *ike_sa_init_requested_create(protected_ike_sa_t *ike_sa, diffie_hellman_t *diffie_hellman, chunk_t sent_nonce,chunk_t ike_sa_init_request_data)
{
private_ike_sa_init_requested_t *this = allocator_alloc_thing(private_ike_sa_init_requested_t);
@@ -748,9 +741,9 @@ ike_sa_init_requested_t *ike_sa_init_requested_create(protected_ike_sa_t *ike_sa
this->received_nonce = CHUNK_INITIALIZER;
this->logger = this->ike_sa->get_logger(this->ike_sa);
this->diffie_hellman = diffie_hellman;
+ this->proposal = NULL;
this->sent_nonce = sent_nonce;
this->ike_sa_init_request_data = ike_sa_init_request_data;
- this->dh_group_priority = dh_group_priority;
return &(this->public);
}
diff --git a/Source/charon/sa/states/ike_sa_init_requested.h b/Source/charon/sa/states/ike_sa_init_requested.h
index 7d4df6ba8..1fe0a6d1d 100644
--- a/Source/charon/sa/states/ike_sa_init_requested.h
+++ b/Source/charon/sa/states/ike_sa_init_requested.h
@@ -53,7 +53,6 @@ struct ike_sa_init_requested_t {
* Constructor of class ike_sa_init_requested_t.
*
* @param ike_sa assigned ike_sa
- * @param dh_group_priority the last used priority number to get the DH group for request
* @param diffie_hellman diffie_hellman object use to retrieve shared secret
* @param sent_nonce Sent nonce value
* @param ike_sa_init_request_data the binary representation of the IKE_SA_INIT request message
@@ -62,7 +61,6 @@ struct ike_sa_init_requested_t {
* @ingroup states
*/
ike_sa_init_requested_t *ike_sa_init_requested_create(protected_ike_sa_t *ike_sa,
- u_int16_t dh_group_priority,
diffie_hellman_t *diffie_hellman,
chunk_t sent_nonce,
chunk_t ike_sa_init_request_data);
diff --git a/Source/charon/sa/states/ike_sa_init_responded.c b/Source/charon/sa/states/ike_sa_init_responded.c
index 2c21992e6..536041d0d 100644
--- a/Source/charon/sa/states/ike_sa_init_responded.c
+++ b/Source/charon/sa/states/ike_sa_init_responded.c
@@ -387,7 +387,7 @@ static status_t build_idr_payload(private_ike_sa_init_responded_t *this, id_payl
*/
static status_t build_sa_payload(private_ike_sa_init_responded_t *this, sa_payload_t *request, message_t *response)
{
- child_proposal_t *proposal, *proposal_tmp;
+ proposal_t *proposal, *proposal_tmp;
linked_list_t *proposal_list;
sa_payload_t *sa_response;
child_sa_t *child_sa;
@@ -397,7 +397,7 @@ static status_t build_sa_payload(private_ike_sa_init_responded_t *this, sa_paylo
/* TODO: child sa stuff */
/* get proposals from request */
- proposal_list = request->get_child_proposals(request);
+ proposal_list = request->get_proposals(request);
if (proposal_list->get_count(proposal_list) == 0)
{
/* if the other side did not offer any proposals, we do not create child sa's */
@@ -426,7 +426,7 @@ static status_t build_sa_payload(private_ike_sa_init_responded_t *this, sa_paylo
}
/* create payload with selected propsal */
- sa_response = sa_payload_create_from_child_proposal(proposal);
+ sa_response = sa_payload_create_from_proposal(proposal);
response->add_payload(response, (payload_t*)sa_response);
/* install child SAs for AH and esp */
diff --git a/Source/charon/sa/states/initiator_init.c b/Source/charon/sa/states/initiator_init.c
index 6ab698f89..f27dcb559 100644
--- a/Source/charon/sa/states/initiator_init.c
+++ b/Source/charon/sa/states/initiator_init.c
@@ -58,17 +58,6 @@ struct private_initiator_init_t {
diffie_hellman_t *diffie_hellman;
/**
- * DH group number.
- */
- u_int16_t dh_group_number;
-
- /**
- * DH group priority used to get dh_group_number from configuration manager.
- * This priority is passed to the next state of type IKE_SA_INIT_REQUESTED.
- */
- u_int16_t dh_group_priority;
-
- /**
* Sent nonce.
* This nonce is passed to the next state of type IKE_SA_INIT_REQUESTED.
*/
@@ -124,49 +113,41 @@ static status_t initiate_connection (private_initiator_init_t *this, char *name)
init_config_t *init_config;
sa_config_t *sa_config;
status_t status;
-
+ diffie_hellman_group_t dh_group;
this->logger->log(this->logger, CONTROL, "Initializing connection %s",name);
+ /* get configs */
status = charon->configuration_manager->get_init_config_for_name(charon->configuration_manager,name,&init_config);
if (status != SUCCESS)
{
this->logger->log(this->logger, ERROR | LEVEL1, "Could not retrieve INIT configuration informations for %s",name);
return DELETE_ME;
}
-
this->ike_sa->set_init_config(this->ike_sa,init_config);
-
status = charon->configuration_manager->get_sa_config_for_name(charon->configuration_manager,name,&sa_config);
-
if (status != SUCCESS)
- {
+ {
this->logger->log(this->logger, ERROR | LEVEL1, "Could not retrieve SA configuration informations for %s",name);
return DELETE_ME;
}
-
this->ike_sa->set_sa_config(this->ike_sa,sa_config);
/* host informations are read from configuration */
this->ike_sa->set_other_host(this->ike_sa,init_config->get_other_host_clone(init_config));
this->ike_sa->set_my_host(this->ike_sa,init_config->get_my_host_clone(init_config));
- this->dh_group_number = init_config->get_dh_group_number(init_config,this->dh_group_priority);
- if (this->dh_group_number == MODP_UNDEFINED)
- {
- this->logger->log(this->logger, AUDIT, "Could not find a matching diffie hellman group after %d. try. Aborting.",
- this->dh_group_priority);
- return DELETE_ME;
- }
+ /* we must guess now a DH group. For that we choose our most preferred group */
+ dh_group = init_config->get_dh_group(init_config);
/* next step is done in retry_initiate_connection */
- return this->public.retry_initiate_connection(&(this->public),this->dh_group_priority);
+ return this->public.retry_initiate_connection(&(this->public), dh_group);
}
/**
* Implementation of initiator_init_t.retry_initiate_connection.
*/
-status_t retry_initiate_connection (private_initiator_init_t *this, int dh_group_priority)
+status_t retry_initiate_connection (private_initiator_init_t *this, diffie_hellman_group_t dh_group)
{
ike_sa_init_requested_t *next_state;
chunk_t ike_sa_init_request_data;
@@ -174,24 +155,18 @@ status_t retry_initiate_connection (private_initiator_init_t *this, int dh_group
ike_sa_id_t *ike_sa_id;
message_t *message;
status_t status;
-
- this->dh_group_priority = dh_group_priority;
-
- init_config = this->ike_sa->get_init_config(this->ike_sa);
-
- ike_sa_id = this->ike_sa->public.get_id(&(this->ike_sa->public));
- ike_sa_id->set_responder_spi(ike_sa_id,0);
-
- this->dh_group_number = init_config->get_dh_group_number(init_config,dh_group_priority);
- if (this->dh_group_number == MODP_UNDEFINED)
+ if (dh_group == MODP_UNDEFINED)
{
- this->logger->log(this->logger, AUDIT, "Could not find a matching diffie hellman group after %d. try. Aborting.",
- this->dh_group_priority);
+ this->logger->log(this->logger, AUDIT, "No DH group acceptable for initialization, Aborting");
+ message->destroy(message);
return DELETE_ME;
}
- this->diffie_hellman = diffie_hellman_create(this->dh_group_number);
+ init_config = this->ike_sa->get_init_config(this->ike_sa);
+ this->diffie_hellman = diffie_hellman_create(dh_group);
+ ike_sa_id = this->ike_sa->public.get_id(&(this->ike_sa->public));
+ ike_sa_id->set_responder_spi(ike_sa_id,0);
/* going to build message */
this->logger->log(this->logger, CONTROL|LEVEL2, "Going to build message");
@@ -222,7 +197,7 @@ status_t retry_initiate_connection (private_initiator_init_t *this, int dh_group
/* state can now be changed */
this->logger->log(this->logger, CONTROL|LEVEL2, "Create next state object");
- next_state = ike_sa_init_requested_create(this->ike_sa, this->dh_group_priority, this->diffie_hellman, this->sent_nonce,ike_sa_init_request_data);
+ next_state = ike_sa_init_requested_create(this->ike_sa, this->diffie_hellman, this->sent_nonce,ike_sa_init_request_data);
this->ike_sa->set_new_state(this->ike_sa,(state_t *) next_state);
this->logger->log(this->logger, CONTROL|LEVEL2, "Destroy old sate object");
@@ -236,19 +211,16 @@ status_t retry_initiate_connection (private_initiator_init_t *this, int dh_group
static void build_sa_payload(private_initiator_init_t *this, message_t *request)
{
sa_payload_t* sa_payload;
- size_t proposal_count;
- ike_proposal_t *proposals;
+ linked_list_t *proposal_list;
init_config_t *init_config;
this->logger->log(this->logger, CONTROL|LEVEL1, "Building SA payload");
init_config = this->ike_sa->get_init_config(this->ike_sa);
- proposal_count = init_config->get_proposals(init_config,&proposals);
+ proposal_list = init_config->get_proposals(init_config);
- sa_payload = sa_payload_create_from_ike_proposals(proposals,proposal_count);
-
- allocator_free(proposals);
+ sa_payload = sa_payload_create_from_proposal_list(proposal_list);
this->logger->log(this->logger, CONTROL|LEVEL2, "Add SA payload to message");
request->add_payload(request, (payload_t *) sa_payload);
@@ -261,13 +233,15 @@ static void build_ke_payload(private_initiator_init_t *this, message_t *request)
{
ke_payload_t *ke_payload;
chunk_t key_data;
+ diffie_hellman_group_t dh_group;
this->logger->log(this->logger, CONTROL|LEVEL1, "Building KE payload");
this->diffie_hellman->get_my_public_value(this->diffie_hellman,&key_data);
+ dh_group = this->diffie_hellman->get_dh_group(this->diffie_hellman);
ke_payload = ke_payload_create();
- ke_payload->set_dh_group_number(ke_payload, this->dh_group_number);
+ ke_payload->set_dh_group_number(ke_payload, dh_group);
ke_payload->set_key_exchange_data(ke_payload, key_data);
allocator_free_chunk(&key_data);
@@ -372,7 +346,6 @@ initiator_init_t *initiator_init_create(protected_ike_sa_t *ike_sa)
/* private data */
this->ike_sa = ike_sa;
- this->dh_group_priority = 1;
this->logger = this->ike_sa->get_logger(this->ike_sa);
this->sent_nonce = CHUNK_INITIALIZER;
this->diffie_hellman = NULL;
diff --git a/Source/charon/sa/states/responder_init.c b/Source/charon/sa/states/responder_init.c
index 2ea5b034d..c85f12efc 100644
--- a/Source/charon/sa/states/responder_init.c
+++ b/Source/charon/sa/states/responder_init.c
@@ -80,6 +80,11 @@ struct private_responder_init_t {
chunk_t received_nonce;
/**
+ * Selected proposal
+ */
+ proposal_t *proposal;
+
+ /**
* Logger used to log data .
*
* Is logger of ike_sa!
@@ -153,7 +158,6 @@ static status_t process_message(private_responder_init_t *this, message_t *messa
nonce_payload_t *nonce_request = NULL;
host_t *source, *destination;
init_config_t *init_config;
- chunk_t shared_secret;
iterator_t *payloads;
message_t *response;
status_t status;
@@ -275,17 +279,15 @@ static status_t process_message(private_responder_init_t *this, message_t *messa
{
response->destroy(response);
return status;
- }
+ }
- /* store shared secret */
- this->logger->log(this->logger, CONTROL | LEVEL2, "Retrieve shared secret and store it");
- status = this->diffie_hellman->get_shared_secret(this->diffie_hellman, &shared_secret);
- this->logger->log_chunk(this->logger, PRIVATE, "Shared Diffie Hellman secret", &shared_secret);
-
- this->ike_sa->compute_secrets(this->ike_sa,shared_secret,this->received_nonce, this->sent_nonce);
-
- /* not used anymore */
- allocator_free_chunk(&shared_secret);
+ /* derive all the keys used in the IKE_SA */
+ status = this->ike_sa->build_transforms(this->ike_sa, this->proposal, this->diffie_hellman, this->received_nonce, this->sent_nonce);
+ if (status != SUCCESS)
+ {
+ this->logger->log(this->logger, AUDIT, "Transform objects could not be created from selected proposal. Deleting IKE_SA");
+ return DELETE_ME;
+ }
/* message can now be sent (must not be destroyed) */
status = this->ike_sa->send_response(this->ike_sa, response);
@@ -318,47 +320,40 @@ static status_t process_message(private_responder_init_t *this, message_t *messa
*/
static status_t build_sa_payload(private_responder_init_t *this,sa_payload_t *sa_request, message_t *response)
{
- ike_proposal_t selected_proposal;
- ike_proposal_t *ike_proposals;
+ proposal_t *proposal;
+ linked_list_t *proposal_list;
init_config_t *init_config;
sa_payload_t* sa_payload;
- size_t proposal_count;
- status_t status;
+ algorithm_t *algo;
init_config = this->ike_sa->get_init_config(this->ike_sa);
this->logger->log(this->logger, CONTROL | LEVEL2, "Process received SA payload");
+
/* get the list of suggested proposals */
- status = sa_request->get_ike_proposals (sa_request, &ike_proposals,&proposal_count);
- if (status != SUCCESS)
+ proposal_list = sa_request->get_proposals (sa_request);
+
+ /* select proposal */
+ this->proposal = init_config->select_proposal(init_config, proposal_list);
+ while(proposal_list->remove_last(proposal_list, (void**)&proposal) == SUCCESS)
{
- this->logger->log(this->logger, AUDIT, "IKE_SA_INIT request did not contain any proposals. Deleting IKE_SA");
- this->ike_sa->send_notify(this->ike_sa, IKE_SA_INIT, NO_PROPOSAL_CHOSEN, CHUNK_INITIALIZER);
- return DELETE_ME;
+ proposal->destroy(proposal);
}
-
- status = init_config->select_proposal(init_config, ike_proposals,proposal_count,&(selected_proposal));
- allocator_free(ike_proposals);
- if (status != SUCCESS)
+ proposal_list->destroy(proposal_list);
+ if (this->proposal == NULL)
{
this->logger->log(this->logger, AUDIT, "IKE_SA_INIT request did not contain any acceptable proposals. Deleting IKE_SA");
this->ike_sa->send_notify(this->ike_sa, IKE_SA_INIT, NO_PROPOSAL_CHOSEN, CHUNK_INITIALIZER);
return DELETE_ME;
}
-
- this->dh_group_number = selected_proposal.diffie_hellman_group;
-
- status = this->ike_sa->create_transforms_from_proposal(this->ike_sa,&(selected_proposal));
- if (status != SUCCESS)
- {
- this->logger->log(this->logger, AUDIT, "Transform objects could not be created from selected proposal. Deleting IKE_SA");
- return DELETE_ME;
- }
+ /* get selected DH group to force policy, this is very restrictive!? */
+ this->proposal->get_algorithm(this->proposal, IKE, DIFFIE_HELLMAN_GROUP, &algo);
+ this->dh_group_number = algo->algorithm;
this->logger->log(this->logger, CONTROL | LEVEL2, "SA Payload processed");
this->logger->log(this->logger, CONTROL|LEVEL2, "Building SA payload");
- sa_payload = sa_payload_create_from_ike_proposals(&(selected_proposal),1);
+ sa_payload = sa_payload_create_from_proposal(this->proposal);
this->logger->log(this->logger, CONTROL|LEVEL2, "add SA payload to message");
response->add_payload(response,(payload_t *) sa_payload);
@@ -383,6 +378,7 @@ static status_t build_ke_payload(private_responder_init_t *this,ke_payload_t *ke
this->logger->log(this->logger, AUDIT, "No diffie hellman group to select. Deleting IKE_SA");
return DELETE_ME;
}
+
if (this->dh_group_number != group)
{
u_int16_t accepted_group;
@@ -510,6 +506,10 @@ static void destroy(private_responder_init_t *this)
this->logger->log(this->logger, CONTROL | LEVEL2, "Destroy diffie_hellman_t hellman object");
this->diffie_hellman->destroy(this->diffie_hellman);
}
+ if (this->proposal)
+ {
+ this->proposal->destroy(this->proposal);
+ }
this->logger->log(this->logger, CONTROL | LEVEL2, "Destroy object");
allocator_free(this);
}
@@ -527,6 +527,10 @@ static void destroy_after_state_change (private_responder_init_t *this)
this->logger->log(this->logger, CONTROL | LEVEL2, "Destroy diffie_hellman_t object");
this->diffie_hellman->destroy(this->diffie_hellman);
}
+ if (this->proposal)
+ {
+ this->proposal->destroy(this->proposal);
+ }
this->logger->log(this->logger, CONTROL | LEVEL2, "Destroy object");
allocator_free(this);
@@ -558,6 +562,7 @@ responder_init_t *responder_init_create(protected_ike_sa_t *ike_sa)
this->received_nonce = CHUNK_INITIALIZER;
this->dh_group_number = MODP_UNDEFINED;
this->diffie_hellman = NULL;
+ this->proposal = NULL;
return &(this->public);
}
generated by cgit v1.2.3 (git 2.25.1) at 2025-07-22 21:23:12 +0000