projects / strongswan.git / blob
? search:


694c3f41e940d77d28f1c2ac650fed0f56d0bd3d
[strongswan.git] / src / libcharon / sa / tasks / main_mode.c
1 /*
2 * Copyright (C) 2011 Tobias Brunner
3 * Hochschule fuer Technik Rapperswil
4 *
5 * Copyright (C) 2011 Martin Willi
6 * Copyright (C) 2011 revosec AG
7 *
8 * This program is free software; you can redistribute it and/or modify it
9 * under the terms of the GNU General Public License as published by the
10 * Free Software Foundation; either version 2 of the License, or (at your
11 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
12 *
13 * This program is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
15 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
16 * for more details.
17 */
18
19 #include "main_mode.h"
20
21 #include <string.h>
22
23 #include <daemon.h>
24 #include <sa/keymat_v1.h>
25 #include <crypto/diffie_hellman.h>
26 #include <encoding/payloads/sa_payload.h>
27 #include <encoding/payloads/ke_payload.h>
28 #include <encoding/payloads/nonce_payload.h>
29 #include <encoding/payloads/id_payload.h>
30 #include <encoding/payloads/hash_payload.h>
31
32 typedef struct private_main_mode_t private_main_mode_t;
33
34 /**
35 * Private members of a main_mode_t task.
36 */
37 struct private_main_mode_t {
38
39 /**
40 * Public methods and task_t interface.
41 */
42 main_mode_t public;
43
44 /**
45 * Assigned IKE_SA.
46 */
47 ike_sa_t *ike_sa;
48
49 /**
50 * Are we the initiator?
51 */
52 bool initiator;
53
54 /**
55 * IKE config to establish
56 */
57 ike_cfg_t *ike_cfg;
58
59 /**
60 * Peer config to use
61 */
62 peer_cfg_t *peer_cfg;
63
64 /**
65 * Local authentication configuration
66 */
67 auth_cfg_t *my_auth;
68
69 /**
70 * Remote authentication configuration
71 */
72 auth_cfg_t *other_auth;
73
74 /**
75 * selected IKE proposal
76 */
77 proposal_t *proposal;
78
79 /**
80 * DH exchange
81 */
82 diffie_hellman_t *dh;
83
84 /**
85 * Keymat derivation (from SA)
86 */
87 keymat_v1_t *keymat;
88
89 /**
90 * Received public DH value from peer
91 */
92 chunk_t dh_value;
93
94 /**
95 * Initiators nonce
96 */
97 chunk_t nonce_i;
98
99 /**
100 * Responder nonce
101 */
102 chunk_t nonce_r;
103
104 /**
105 * Encoded SA initiator payload used for authentication
106 */
107 chunk_t sa_payload;
108
109 /**
110 * Negotiated SA lifetime
111 */
112 u_int32_t lifetime;
113
114 /**
115 * Negotiated authentication method
116 */
117 auth_method_t auth_method;
118
119 /** states of main mode */
120 enum {
121 MM_INIT,
122 MM_SA,
123 MM_KE,
124 MM_AUTH,
125 } state;
126 };
127
128 /**
129 * Get the first authentcation config from peer config
130 */
131 static auth_cfg_t *get_auth_cfg(private_main_mode_t *this, bool local)
132 {
133 enumerator_t *enumerator;
134 auth_cfg_t *cfg = NULL;
135
136 enumerator = this->peer_cfg->create_auth_cfg_enumerator(this->peer_cfg,
137 local);
138 enumerator->enumerate(enumerator, &cfg);
139 enumerator->destroy(enumerator);
140 return cfg;
141 }
142
143 /**
144 * Save the encoded SA payload of a message
145 */
146 static bool save_sa_payload(private_main_mode_t *this, message_t *message)
147 {
148 enumerator_t *enumerator;
149 payload_t *payload, *sa = NULL;
150 chunk_t data;
151 size_t offset = IKE_HEADER_LENGTH;
152
153 enumerator = message->create_payload_enumerator(message);
154 while (enumerator->enumerate(enumerator, &payload))
155 {
156 if (payload->get_type(payload) == SECURITY_ASSOCIATION_V1)
157 {
158 sa = payload;
159 break;
160 }
161 else
162 {
163 offset += payload->get_length(payload);
164 }
165 }
166 enumerator->destroy(enumerator);
167
168 data = message->get_packet_data(message);
169 if (sa && data.len >= offset + sa->get_length(sa))
170 {
171 /* Get SA payload without 4 byte fixed header */
172 data = chunk_skip(data, offset);
173 data.len = sa->get_length(sa);
174 data = chunk_skip(data, 4);
175 this->sa_payload = chunk_clone(data);
176 return TRUE;
177 }
178 return FALSE;
179 }
180
181 /**
182 * Build main mode hash payloads
183 */
184 static void build_hash(private_main_mode_t *this, bool initiator,
185 message_t *message, identification_t *id)
186 {
187 hash_payload_t *hash_payload;
188 chunk_t hash, dh;
189
190 this->dh->get_my_public_value(this->dh, &dh);
191 hash = this->keymat->get_hash(this->keymat, initiator, dh, this->dh_value,
192 this->ike_sa->get_id(this->ike_sa), this->sa_payload, id);
193 free(dh.ptr);
194
195 hash_payload = hash_payload_create();
196 hash_payload->set_hash(hash_payload, hash);
197 free(hash.ptr);
198
199 message->add_payload(message, &hash_payload->payload_interface);
200 }
201
202 /**
203 * Verify main mode hash payload
204 */
205 static bool verify_hash(private_main_mode_t *this, bool initiator,
206 message_t *message, identification_t *id)
207 {
208 hash_payload_t *hash_payload;
209 chunk_t hash, dh;
210 bool equal;
211
212 hash_payload = (hash_payload_t*)message->get_payload(message,
213 HASH_V1);
214 if (!hash_payload)
215 {
216 DBG1(DBG_IKE, "HASH payload missing in message");
217 return FALSE;
218 }
219 hash = hash_payload->get_hash(hash_payload);
220 this->dh->get_my_public_value(this->dh, &dh);
221 hash = this->keymat->get_hash(this->keymat, initiator, this->dh_value, dh,
222 this->ike_sa->get_id(this->ike_sa), this->sa_payload, id);
223 free(dh.ptr);
224 equal = chunk_equals(hash, hash_payload->get_hash(hash_payload));
225 free(hash.ptr);
226 if (!equal)
227 {
228 DBG1(DBG_IKE, "calculated HASH does not match HASH payload");
229 }
230 return equal;
231 }
232
233 /**
234 * Generate and add NONCE, KE payload
235 */
236 static bool add_nonce_ke(private_main_mode_t *this, chunk_t *nonce,
237 message_t *message)
238 {
239 nonce_payload_t *nonce_payload;
240 ke_payload_t *ke_payload;
241 rng_t *rng;
242
243 ke_payload = ke_payload_create_from_diffie_hellman(KEY_EXCHANGE_V1,
244 this->dh);
245 message->add_payload(message, &ke_payload->payload_interface);
246
247 rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
248 if (!rng)
249 {
250 DBG1(DBG_IKE, "no RNG found to create nonce");
251 return FALSE;
252 }
253 rng->allocate_bytes(rng, NONCE_SIZE, nonce);
254 rng->destroy(rng);
255
256 nonce_payload = nonce_payload_create(NONCE_V1);
257 nonce_payload->set_nonce(nonce_payload, *nonce);
258 message->add_payload(message, &nonce_payload->payload_interface);
259
260 return TRUE;
261 }
262
263 /**
264 * Extract nonce from NONCE payload, process KE payload
265 */
266 static bool get_nonce_ke(private_main_mode_t *this, chunk_t *nonce,
267 message_t *message)
268 {
269 nonce_payload_t *nonce_payload;
270 ke_payload_t *ke_payload;
271
272 ke_payload = (ke_payload_t*)message->get_payload(message, KEY_EXCHANGE_V1);
273 if (!ke_payload)
274 {
275 DBG1(DBG_IKE, "KE payload missing in message");
276 return FALSE;
277 }
278 this->dh_value = chunk_clone(ke_payload->get_key_exchange_data(ke_payload));
279 this->dh->set_other_public_value(this->dh, this->dh_value);
280
281 nonce_payload = (nonce_payload_t*)message->get_payload(message, NONCE_V1);
282 if (!nonce_payload)
283 {
284 DBG1(DBG_IKE, "NONCE payload missing in message");
285 return FALSE;
286 }
287 *nonce = nonce_payload->get_nonce(nonce_payload);
288
289 return TRUE;
290 }
291
292 /**
293 * Get auth method to use
294 */
295 static auth_method_t get_auth_method(private_main_mode_t *this)
296 {
297 switch ((uintptr_t)this->my_auth->get(this->my_auth, AUTH_RULE_AUTH_CLASS))
298 {
299 case AUTH_CLASS_PSK:
300 return AUTH_PSK;
301 case AUTH_CLASS_XAUTH_PSK:
302 return AUTH_XAUTH_INIT_PSK;
303 case AUTH_CLASS_XAUTH_PUBKEY:
304 return AUTH_XAUTH_INIT_RSA;
305 case AUTH_CLASS_PUBKEY:
306 /* TODO-IKEv1: look for a key, return RSA or ECDSA */
307 default:
308 /* TODO-IKEv1: XAUTH methods */
309 return AUTH_RSA;
310 }
311 }
312
313 METHOD(task_t, build_i, status_t,
314 private_main_mode_t *this, message_t *message)
315 {
316 switch (this->state)
317 {
318 case MM_INIT:
319 {
320 sa_payload_t *sa_payload;
321 linked_list_t *proposals;
322 packet_t *packet;
323
324 this->ike_cfg = this->ike_sa->get_ike_cfg(this->ike_sa);
325 DBG0(DBG_IKE, "initiating IKE_SA %s[%d] to %H",
326 this->ike_sa->get_name(this->ike_sa),
327 this->ike_sa->get_unique_id(this->ike_sa),
328 this->ike_sa->get_other_host(this->ike_sa));
329 this->ike_sa->set_state(this->ike_sa, IKE_CONNECTING);
330
331 this->peer_cfg = this->ike_sa->get_peer_cfg(this->ike_sa);
332 this->peer_cfg->get_ref(this->peer_cfg);
333
334 this->my_auth = get_auth_cfg(this, TRUE);
335 this->other_auth = get_auth_cfg(this, FALSE);
336 if (!this->my_auth || !this->other_auth)
337 {
338 DBG1(DBG_CFG, "no auth config found");
339 return FAILED;
340 }
341
342 proposals = this->ike_cfg->get_proposals(this->ike_cfg);
343 this->auth_method = get_auth_method(this);
344 this->lifetime = this->peer_cfg->get_reauth_time(this->peer_cfg,
345 FALSE);
346 if (!this->lifetime)
347 { /* fall back to rekey time of no rekey time configured */
348 this->lifetime = this->peer_cfg->get_rekey_time(this->peer_cfg,
349 FALSE);
350 }
351 sa_payload = sa_payload_create_from_proposals_v1(proposals,
352 this->lifetime, 0, this->auth_method, MODE_NONE, FALSE);
353 proposals->destroy_offset(proposals, offsetof(proposal_t, destroy));
354
355 message->add_payload(message, &sa_payload->payload_interface);
356
357 /* pregenerate message to store SA payload */
358 if (this->ike_sa->generate_message(this->ike_sa, message,
359 &packet) != SUCCESS)
360 {
361 DBG1(DBG_IKE, "pregenerating SA payload failed");
362 return FAILED;
363 }
364 packet->destroy(packet);
365 if (!save_sa_payload(this, message))
366 {
367 DBG1(DBG_IKE, "SA payload invalid");
368 return FAILED;
369 }
370
371 this->state = MM_SA;
372 return NEED_MORE;
373 }
374 case MM_SA:
375 {
376 u_int16_t group;
377
378 if (!this->proposal->get_algorithm(this->proposal,
379 DIFFIE_HELLMAN_GROUP, &group, NULL))
380 {
381 DBG1(DBG_IKE, "DH group selection failed");
382 return FAILED;
383 }
384 this->dh = this->keymat->keymat.create_dh(&this->keymat->keymat,
385 group);
386 if (!this->dh)
387 {
388 DBG1(DBG_IKE, "negotiated DH group not supported");
389 return FAILED;
390 }
391 if (!add_nonce_ke(this, &this->nonce_i, message))
392 {
393 return FAILED;
394 }
395 this->state = MM_KE;
396 return NEED_MORE;
397 }
398 case MM_KE:
399 {
400 id_payload_t *id_payload;
401 identification_t *id;
402
403 id = this->my_auth->get(this->my_auth, AUTH_RULE_IDENTITY);
404 if (!id)
405 {
406 DBG1(DBG_CFG, "own identity not known");
407 return FAILED;
408 }
409
410 this->ike_sa->set_my_id(this->ike_sa, id->clone(id));
411
412 id_payload = id_payload_create_from_identification(ID_V1, id);
413 message->add_payload(message, &id_payload->payload_interface);
414
415 build_hash(this, TRUE, message, id);
416
417 this->state = MM_AUTH;
418 return NEED_MORE;
419 }
420 default:
421 return FAILED;
422 }
423 }
424
425 METHOD(task_t, process_r, status_t,
426 private_main_mode_t *this, message_t *message)
427 {
428 switch (this->state)
429 {
430 case MM_INIT:
431 {
432 linked_list_t *list;
433 sa_payload_t *sa_payload;
434
435 this->ike_cfg = this->ike_sa->get_ike_cfg(this->ike_sa);
436 DBG0(DBG_IKE, "%H is initiating a Main Mode",
437 message->get_source(message));
438 this->ike_sa->set_state(this->ike_sa, IKE_CONNECTING);
439
440 this->ike_sa->update_hosts(this->ike_sa,
441 message->get_destination(message),
442 message->get_source(message), TRUE);
443
444 sa_payload = (sa_payload_t*)message->get_payload(message,
445 SECURITY_ASSOCIATION_V1);
446 if (!sa_payload || !save_sa_payload(this, message))
447 {
448 DBG1(DBG_IKE, "SA payload missing or invalid");
449 return FAILED;
450 }
451
452 list = sa_payload->get_proposals(sa_payload);
453 this->proposal = this->ike_cfg->select_proposal(this->ike_cfg,
454 list, FALSE);
455 list->destroy_offset(list, offsetof(proposal_t, destroy));
456 if (!this->proposal)
457 {
458 DBG1(DBG_IKE, "no proposal found");
459 return FAILED;
460 }
461
462 this->auth_method = sa_payload->get_auth_method(sa_payload);
463 this->lifetime = sa_payload->get_lifetime(sa_payload);
464
465 this->state = MM_SA;
466 return NEED_MORE;
467 }
468 case MM_SA:
469 {
470 u_int16_t group;
471
472 if (!this->proposal->get_algorithm(this->proposal,
473 DIFFIE_HELLMAN_GROUP, &group, NULL))
474 {
475 DBG1(DBG_IKE, "DH group selection failed");
476 return FAILED;
477 }
478 this->dh = lib->crypto->create_dh(lib->crypto, group);
479 if (!this->dh)
480 {
481 DBG1(DBG_IKE, "negotiated DH group not supported");
482 return FAILED;
483 }
484 if (!get_nonce_ke(this, &this->nonce_i, message))
485 {
486 return FAILED;
487 }
488 this->state = MM_KE;
489 return NEED_MORE;
490 }
491 case MM_KE:
492 {
493 enumerator_t *enumerator;
494 id_payload_t *id_payload;
495 identification_t *id, *any;
496
497 id_payload = (id_payload_t*)message->get_payload(message, ID_V1);
498 if (!id_payload)
499 {
500 DBG1(DBG_IKE, "IDii payload missing");
501 return FAILED;
502 }
503
504 id = id_payload->get_identification(id_payload);
505 any = identification_create_from_encoding(ID_ANY, chunk_empty);
506 enumerator = charon->backends->create_peer_cfg_enumerator(
507 charon->backends,
508 this->ike_sa->get_my_host(this->ike_sa),
509 this->ike_sa->get_other_host(this->ike_sa),
510 any, id);
511 if (!enumerator->enumerate(enumerator, &this->peer_cfg))
512 {
513 DBG1(DBG_IKE, "no peer config found");
514 id->destroy(id);
515 any->destroy(any);
516 enumerator->destroy(enumerator);
517 return FAILED;
518 }
519 this->peer_cfg->get_ref(this->peer_cfg);
520 enumerator->destroy(enumerator);
521 any->destroy(any);
522
523 this->ike_sa->set_other_id(this->ike_sa, id);
524
525 this->ike_sa->set_peer_cfg(this->ike_sa, this->peer_cfg);
526
527 this->my_auth = get_auth_cfg(this, TRUE);
528 this->other_auth = get_auth_cfg(this, FALSE);
529 if (!this->my_auth || !this->other_auth)
530 {
531 DBG1(DBG_IKE, "auth config missing");
532 return FAILED;
533 }
534
535 if (!verify_hash(this, TRUE, message, id))
536 {
537 return FAILED;
538 }
539
540 this->state = MM_AUTH;
541 return NEED_MORE;
542 }
543 default:
544 return FAILED;
545 }
546 }
547
548 /**
549 * Lookup a shared secret for this IKE_SA
550 */
551 static shared_key_t *lookup_shared_key(private_main_mode_t *this)
552 {
553 host_t *me, *other;
554 identification_t *my_id, *other_id;
555 shared_key_t *shared_key;
556
557 me = this->ike_sa->get_my_host(this->ike_sa);
558 other = this->ike_sa->get_other_host(this->ike_sa);
559 my_id = identification_create_from_sockaddr(me->get_sockaddr(me));
560 other_id = identification_create_from_sockaddr(other->get_sockaddr(other));
561 if (!my_id || !other_id)
562 {
563 DESTROY_IF(my_id);
564 DESTROY_IF(other_id);
565 return NULL;
566 }
567 shared_key = lib->credmgr->get_shared(lib->credmgr, SHARED_IKE, my_id,
568 other_id);
569 if (!shared_key)
570 {
571 DBG1(DBG_IKE, "no shared key found for %H - %H", me, other);
572 }
573 my_id->destroy(my_id);
574 other_id->destroy(other_id);
575 return shared_key;
576 }
577
578 /**
579 * Derive key material for this IKE_SA
580 */
581 static bool derive_keys(private_main_mode_t *this, chunk_t nonce_i,
582 chunk_t nonce_r)
583 {
584 ike_sa_id_t *id = this->ike_sa->get_id(this->ike_sa);
585 shared_key_t *shared_key = NULL;
586
587 switch (this->auth_method)
588 {
589 case AUTH_PSK:
590 case AUTH_XAUTH_INIT_PSK:
591 shared_key = lookup_shared_key(this);
592 break;
593 default:
594 break;
595 }
596 if (!this->keymat->derive_ike_keys(this->keymat, this->proposal, this->dh,
597 this->dh_value, nonce_i, nonce_r, id, this->auth_method, shared_key))
598 {
599 DESTROY_IF(shared_key);
600 return FALSE;
601 }
602 DESTROY_IF(shared_key);
603 charon->bus->ike_keys(charon->bus, this->ike_sa, this->dh, nonce_i, nonce_r,
604 NULL);
605 return TRUE;
606 }
607
608 METHOD(task_t, build_r, status_t,
609 private_main_mode_t *this, message_t *message)
610 {
611 switch (this->state)
612 {
613 case MM_SA:
614 {
615 sa_payload_t *sa_payload;
616
617 sa_payload = sa_payload_create_from_proposal_v1(this->proposal,
618 this->lifetime, 0, this->auth_method, MODE_NONE, FALSE);
619 message->add_payload(message, &sa_payload->payload_interface);
620
621 return NEED_MORE;
622 }
623 case MM_KE:
624 {
625 if (!add_nonce_ke(this, &this->nonce_r, message))
626 {
627 return FAILED;
628 }
629 if (!derive_keys(this, this->nonce_i, this->nonce_r))
630 {
631 DBG1(DBG_IKE, "key derivation failed");
632 return FAILED;
633 }
634 return NEED_MORE;
635 }
636 case MM_AUTH:
637 {
638 id_payload_t *id_payload;
639 identification_t *id;
640
641 id = this->my_auth->get(this->my_auth, AUTH_RULE_IDENTITY);
642 if (!id)
643 {
644 DBG1(DBG_CFG, "own identity not known");
645 return FAILED;
646 }
647
648 this->ike_sa->set_my_id(this->ike_sa, id->clone(id));
649
650 id_payload = id_payload_create_from_identification(ID_V1, id);
651 message->add_payload(message, &id_payload->payload_interface);
652
653 build_hash(this, FALSE, message, id);
654
655 DBG0(DBG_IKE, "IKE_SA %s[%d] established between %H[%Y]...%H[%Y]",
656 this->ike_sa->get_name(this->ike_sa),
657 this->ike_sa->get_unique_id(this->ike_sa),
658 this->ike_sa->get_my_host(this->ike_sa),
659 this->ike_sa->get_my_id(this->ike_sa),
660 this->ike_sa->get_other_host(this->ike_sa),
661 this->ike_sa->get_other_id(this->ike_sa));
662 this->ike_sa->set_state(this->ike_sa, IKE_ESTABLISHED);
663 charon->bus->ike_updown(charon->bus, this->ike_sa, TRUE);
664
665 /* TODO-IKEv1: Check the proposal for XAuthInit* auth modes */
666 /* TODO-IKEv1: check for XAUTH rounds, queue them */
667 if(0) /* TODO-IKEv1: Change to 1 if XAUTH is desired. */
668 return MIGRATE;
669 return SUCCESS;
670 }
671 default:
672 return FAILED;
673 }
674 }
675
676 METHOD(task_t, process_i, status_t,
677 private_main_mode_t *this, message_t *message)
678 {
679 switch (this->state)
680 {
681 case MM_SA:
682 {
683 linked_list_t *list;
684 sa_payload_t *sa_payload;
685 auth_method_t auth_method;
686 u_int32_t lifetime;
687
688 sa_payload = (sa_payload_t*)message->get_payload(message,
689 SECURITY_ASSOCIATION_V1);
690 if (!sa_payload)
691 {
692 DBG1(DBG_IKE, "SA payload missing");
693 return FAILED;
694 }
695 list = sa_payload->get_proposals(sa_payload);
696 this->proposal = this->ike_cfg->select_proposal(this->ike_cfg,
697 list, FALSE);
698 list->destroy_offset(list, offsetof(proposal_t, destroy));
699 if (!this->proposal)
700 {
701 DBG1(DBG_IKE, "no proposal found");
702 return FAILED;
703 }
704
705 lifetime = sa_payload->get_lifetime(sa_payload);
706 if (lifetime != this->lifetime)
707 {
708 DBG1(DBG_IKE, "received lifetime %us does not match configured "
709 "%us, using lower value", lifetime, this->lifetime);
710 }
711 this->lifetime = min(this->lifetime, lifetime);
712 auth_method = sa_payload->get_auth_method(sa_payload);
713 if (auth_method != this->auth_method)
714 {
715 DBG1(DBG_IKE, "received %N authentication, but configured %N, "
716 "continue with configured", auth_method_names, auth_method,
717 auth_method_names, this->auth_method);
718 }
719 return NEED_MORE;
720 }
721 case MM_KE:
722 {
723 if (!get_nonce_ke(this, &this->nonce_r, message))
724 {
725 return FAILED;
726 }
727 if (!derive_keys(this, this->nonce_i, this->nonce_r))
728 {
729 DBG1(DBG_IKE, "key derivation failed");
730 return FAILED;
731 }
732 return NEED_MORE;
733 }
734 case MM_AUTH:
735 {
736 id_payload_t *id_payload;
737 identification_t *id;
738
739 id_payload = (id_payload_t*)message->get_payload(message, ID_V1);
740 if (!id_payload)
741 {
742 DBG1(DBG_IKE, "IDir payload missing");
743 return FAILED;
744 }
745 id = id_payload->get_identification(id_payload);
746 if (!id->matches(id, this->other_auth->get(this->other_auth,
747 AUTH_RULE_IDENTITY)))
748 {
749 DBG1(DBG_IKE, "IDir does not match");
750 id->destroy(id);
751 return FAILED;
752 }
753 this->ike_sa->set_other_id(this->ike_sa, id);
754
755 if (!verify_hash(this, FALSE, message, id))
756 {
757 return FAILED;
758 }
759
760 /* TODO-IKEv1: check for XAUTH rounds, queue them */
761 DBG0(DBG_IKE, "IKE_SA %s[%d] established between %H[%Y]...%H[%Y]",
762 this->ike_sa->get_name(this->ike_sa),
763 this->ike_sa->get_unique_id(this->ike_sa),
764 this->ike_sa->get_my_host(this->ike_sa),
765 this->ike_sa->get_my_id(this->ike_sa),
766 this->ike_sa->get_other_host(this->ike_sa),
767 this->ike_sa->get_other_id(this->ike_sa));
768 this->ike_sa->set_state(this->ike_sa, IKE_ESTABLISHED);
769 charon->bus->ike_updown(charon->bus, this->ike_sa, TRUE);
770 return SUCCESS;
771 }
772 default:
773 return FAILED;
774 }
775 }
776
777 METHOD(task_t, get_type, task_type_t,
778 private_main_mode_t *this)
779 {
780 return TASK_MAIN_MODE;
781 }
782
783 METHOD(task_t, migrate, void,
784 private_main_mode_t *this, ike_sa_t *ike_sa)
785 {
786 this->ike_sa = ike_sa;
787 }
788
789 METHOD(task_t, destroy, void,
790 private_main_mode_t *this)
791 {
792 DESTROY_IF(this->peer_cfg);
793 DESTROY_IF(this->proposal);
794 DESTROY_IF(this->dh);
795 free(this->dh_value.ptr);
796 free(this->nonce_i.ptr);
797 free(this->nonce_r.ptr);
798 free(this->sa_payload.ptr);
799 free(this);
800 }
801
802 /*
803 * Described in header.
804 */
805 main_mode_t *main_mode_create(ike_sa_t *ike_sa, bool initiator)
806 {
807 private_main_mode_t *this;
808
809 INIT(this,
810 .public = {
811 .task = {
812 .get_type = _get_type,
813 .migrate = _migrate,
814 .destroy = _destroy,
815 },
816 },
817 .ike_sa = ike_sa,
818 .keymat = (keymat_v1_t*)ike_sa->get_keymat(ike_sa),
819 .initiator = initiator,
820 .state = MM_INIT,
821 );
822
823 if (initiator)
824 {
825 this->public.task.build = _build_i;
826 this->public.task.process = _process_i;
827 }
828 else
829 {
830 this->public.task.build = _build_r;
831 this->public.task.process = _process_r;
832 }
833
834 return &this->public;
835 }
strongSwan - IPsec VPN