|
1 /* |
|
2 * Copyright (c) 2005-2009 Nokia Corporation and/or its subsidiary(-ies). |
|
3 * All rights reserved. |
|
4 * This component and the accompanying materials are made available |
|
5 * under the terms of "Eclipse Public License v1.0" |
|
6 * which accompanies this distribution, and is available |
|
7 * at the URL "http://www.eclipse.org/legal/epl-v10.html". |
|
8 * |
|
9 * Initial Contributors: |
|
10 * Nokia Corporation - initial contribution. |
|
11 * |
|
12 * Contributors: |
|
13 * |
|
14 * Description: IKEv1 negotiation. |
|
15 * |
|
16 */ |
|
17 |
|
18 #ifndef C_IKEV1NEGOTIATION_H |
|
19 #define C_IKEV1NEGOTIATION_H |
|
20 |
|
21 #include <e32base.h> |
|
22 |
|
23 #include "ikev1payloads.h" |
|
24 #include "ikev1extra.h" |
|
25 #include "ikev1SAdata.h" |
|
26 #include "ikepolparser.h" |
|
27 #include "ipsecsaspiretriever.h" |
|
28 |
|
29 #define INITIATOR 0 |
|
30 #define RESPONDER 1 |
|
31 |
|
32 #define PHASE_I 1 //Used to identify the PHASE number |
|
33 #define PHASE_II 2 |
|
34 |
|
35 #define OAKLEY_DEFAULT_NONCE_SIZE 128/8 //128 bits = 16 bytes |
|
36 #define ISAKMP_HEADER_SIZE 28 |
|
37 #define ISAKMP_HASH_SIZE 24 //Size for 3des_cbc return value |
|
38 #define MAX_PRF_LENGTH 24 //In bytes corresponds to 3DES_CBC |
|
39 #define MAX_RETRANS_TIMER 10 //Isakmp packet retransmission timer |
|
40 #define MAX_RETRANS_COUNT 7 //Maximum retransmission count |
|
41 |
|
42 //Vendor ID type codes values |
|
43 #define HASH_VENDOR_ID 0 //Contains only a vendor specific hash |
|
44 #define EXPANDED_VENDOR_ID 1 //Contains NAT probing data and a vendor specific hash |
|
45 #define IETF_NATT_VENDOR_ID 2 //Vendor ID for draft <draft-ietf-ipsec-nat-t-ike-03> |
|
46 #define IETF_RFC_NATT_VENDOR_ID 3 |
|
47 |
|
48 const TInt KMaxDpdRetryCount( 2 ); |
|
49 |
|
50 struct TSPINode |
|
51 { |
|
52 TInt iPropNum; //Proposal # |
|
53 TUint32 iSeq; //Sequence # in the GETSPI msg |
|
54 TUint32 iSPI; //Received SPI |
|
55 }; |
|
56 |
|
57 class TPfkeyMessage; |
|
58 class CIkev1PluginSession; |
|
59 class CAuthDialogInfo; |
|
60 class CIkev1Timeout; |
|
61 class CX509Certificate; |
|
62 class CIkeKeys; |
|
63 class CIkeV1PkiService; |
|
64 class TSAISAKMP; |
|
65 class TPayloadISAKMP; |
|
66 class TKeyISAKMP; |
|
67 class TIdentISAKMP; |
|
68 class TCertificateISAKMP; |
|
69 class TSignatureISAKMP; |
|
70 class THashISAKMP; |
|
71 class TNotificationISAKMP; |
|
72 class TVendorISAKMP; |
|
73 class TINTNETISAKMP; |
|
74 class TProposalISAKMP; |
|
75 class CIkev1NatDiscovery; |
|
76 class CIKECRACKNegotiation; |
|
77 class CTransNegotiation; |
|
78 class TIkev1IsakmpStream; |
|
79 class MIkeDebug; |
|
80 class MKmdEventLoggerIf; |
|
81 class CPFKeySocketIf; |
|
82 |
|
83 // |
|
84 // Class CIkev1Negotiation: Contains all the info for each negotiation in progress |
|
85 // |
|
86 NONSHARABLE_CLASS(CIkev1Negotiation) : public CBase, |
|
87 public MIpsecSaSpiRetrieverCallback |
|
88 { |
|
89 friend class CIkev1InfoNegotiation; |
|
90 friend class TIkev1IsakmpStream; |
|
91 friend class CIKECRACKNegotiation; |
|
92 friend class CTransNegotiation; |
|
93 friend class CIkev1Payloads; |
|
94 |
|
95 public: |
|
96 static CIkev1Negotiation* NewL( CIkev1PluginSession* aPluginSession, |
|
97 CPFKeySocketIf& aPFKeySocketIf, |
|
98 MIkeDebug& aDebug, |
|
99 const TInetAddr& aRemote, |
|
100 const TCookie& aInitiator, |
|
101 const TCookie& aResponder ); |
|
102 |
|
103 static CIkev1Negotiation* NewL( CIkev1PluginSession* aPluginSession, |
|
104 CPFKeySocketIf& aPFKeySocketIf, |
|
105 MIkeDebug& aDebug, |
|
106 const TInetAddr& aRemote, |
|
107 const TCookie& aInitiator, |
|
108 TBool aAutoLogin ); |
|
109 |
|
110 static CIkev1Negotiation* NewL( CIkev1PluginSession* aPluginSession, |
|
111 CPFKeySocketIf& aPFKeySocketIf, |
|
112 MIkeDebug& aDebug, |
|
113 TIkev1SAData* aIkev1SAdata, |
|
114 TUint aRole, |
|
115 const TPfkeyMessage *aReq = NULL ); |
|
116 |
|
117 static CIkev1Negotiation* NewL( CIkev1PluginSession* aPluginSession, |
|
118 CPFKeySocketIf& aPFKeySocketIf, |
|
119 MIkeDebug& aDebug, |
|
120 const TInetAddr& aRemote, |
|
121 TBool aAutoLogin ); |
|
122 |
|
123 static CIkev1Negotiation* NewL( CIkev1PluginSession* aPluginSession, |
|
124 CPFKeySocketIf& aPFKeySocketIf, |
|
125 MIkeDebug& aDebug, |
|
126 const TInetAddr& aRemote, |
|
127 const TPfkeyMessage& aReq ); |
|
128 |
|
129 ~CIkev1Negotiation(); |
|
130 |
|
131 TBool ExecuteL( const ThdrISAKMP& aHdr, |
|
132 const TInetAddr& aRemote, |
|
133 TInt aLocalPort ); |
|
134 TBool ExecutePhase2L( const ThdrISAKMP& aHdr, |
|
135 const TInetAddr& aRemote, |
|
136 TInt aLocalPort ); |
|
137 TBool ExecuteTransactionL( const ThdrISAKMP &aHdr, |
|
138 const TInetAddr& aRemote, |
|
139 TInt aLocalPort ); |
|
140 void InitNegotiationL(); |
|
141 void InitPhase2L(); |
|
142 //used by the timer |
|
143 void ReSendL(); |
|
144 |
|
145 inline TUint32 AcqSeq() {return iAcquireSeq;} |
|
146 inline TInt GetNotifyStatus() {return iReceivedNotify;} |
|
147 inline void SetNotifyStatus(TInt aStatus) {if (iReceivedNotify == KErrNone) iReceivedNotify = aStatus;} |
|
148 inline TBool Autologin() {return iAutoLogin;} |
|
149 inline TBool Finished() {return iFinished;} |
|
150 inline void SetFinished() {iFinished = ETrue;} |
|
151 inline void SetRekeyInfo(CSARekeyInfo* aSARekeyInfo) { iSARekeyInfo = aSARekeyInfo;} |
|
152 inline TUint32 SAId() {return iSAId;} |
|
153 TIkev1IsakmpStream* SaveIkeMsgBfr(TIkev1IsakmpStream* aMsg); |
|
154 void AuthDialogCompletedL(CAuthDialogInfo *aUserInfo); |
|
155 TInt32 RandomMessageId(); |
|
156 void SendDeleteL(TUint8 aProtocol, TUint32 aIpsecSPI = 0); //Send a Delete payload for the negotiation |
|
157 void SendKeepAliveMsgL(TIkev1SAData* aSa); |
|
158 |
|
159 TBool IsRekeyingIkeSa(); |
|
160 void PreparePhase2L(const TPfkeyMessage &aReq); |
|
161 |
|
162 MKmdEventLoggerIf& EventLogger(); |
|
163 |
|
164 // from base class MIpsecSaSpiRetrieverCallback |
|
165 |
|
166 /** |
|
167 * Notification about completion of IPsec SPI SA retrieve. |
|
168 * |
|
169 * @param aSpiRequestId Id of the SPI retrieve request. |
|
170 * @param aStatus Completion status |
|
171 * @param aSpi SPI value |
|
172 */ |
|
173 void IpsecSaSpiRetrieved(TUint32 aSpiRequestId, |
|
174 TInt aStatus, |
|
175 TUint32 aSpi); |
|
176 |
|
177 private: |
|
178 |
|
179 CIkev1Negotiation( CIkev1PluginSession* aPluginSession, |
|
180 CPFKeySocketIf& aPFKeySocketIf, |
|
181 MIkeDebug& aDebug ); |
|
182 CIkev1Negotiation( CIkev1PluginSession* aPluginSession, |
|
183 CPFKeySocketIf& aPFKeySocketIf, |
|
184 MIkeDebug& aDebug, |
|
185 const TInetAddr& aRemote, |
|
186 const TCookie& aInitiator ); |
|
187 CIkev1Negotiation( CIkev1PluginSession* aPluginSession, |
|
188 CPFKeySocketIf& aPFKeySocketIf, |
|
189 MIkeDebug& aDebug, |
|
190 const TInetAddr& aRemote ); |
|
191 |
|
192 void ConstructL( TBool aAutoLogin ); |
|
193 //When receiving an acquire |
|
194 void ConstructL( const TPfkeyMessage& aReq ); |
|
195 // To create a negotiation form an existing ISAKMP SA either as negotiator or responder |
|
196 void ConstructL( TIkev1SAData* aIkev1SAdata, |
|
197 TUint aRole, |
|
198 const TPfkeyMessage *aReq = NULL ); |
|
199 |
|
200 void GetAcquireDataL(const TPfkeyMessage &aReq); |
|
201 void CommonConstructL(); |
|
202 TBool BuildProposals1L(); |
|
203 TInt BuildProposals2L(); |
|
204 //Packet processing functions |
|
205 TBool ProcessHeaderL(const ThdrISAKMP &aHdr); |
|
206 //received packet processing depending on the stage |
|
207 TBool ProcessStage1L(const ThdrISAKMP &aHdr); //Checks SA from INITIATOR |
|
208 TBool ProcessStage2L(const ThdrISAKMP &aHdr); //Checks SA from RESPONDER |
|
209 TBool ProcessStage3MainL(const ThdrISAKMP &aHdr); //Checks KE,NONCE from INITIATOR |
|
210 TBool ProcessStage3AggrL(const ThdrISAKMP &aHdr);//Checks ID,AUTH from RESPONDER |
|
211 TBool ProcessStage4L(const ThdrISAKMP &aHdr); //Checks KE,NONCE from RESPONDER |
|
212 TBool ProcessStage5L(const ThdrISAKMP &aHdr); //Checks ID,AUTH from INITIATOR |
|
213 TBool ProcessStage6L(const ThdrISAKMP &aHdr); //Checks ID,AUTH from RESPONDER |
|
214 TBool ProcessStage7L(const ThdrISAKMP &aHdr); //CRACK authentication going |
|
215 TBool ProcessStage1Phase2L(const ThdrISAKMP &aHdr);//Checks HASH(1),SA,KE,NONCE,ID from INITIATOR |
|
216 TBool ProcessStage2Phase2L(const ThdrISAKMP &aHdr);//Checks HASH(2),SA from RESPONDER |
|
217 TBool ProcessStage3Phase2L(const ThdrISAKMP &aHdr);//Checks HASH(3) from INITIATOR/RESPONDER |
|
218 TBool ProcessCONNECTEDL(const ThdrISAKMP &aHdr);//Checks HASH(INF, NOTIF) from RESPONDER |
|
219 TBool ProcessSAL(const TSAISAKMP *aPayload, TUint8 *aRecvProposals); |
|
220 TBool ProcessProposalsL(const TPayloadISAKMP *aPayload,TUint32 aLengthLeft, TUint8 *aRecvProposals); |
|
221 TInt ProcessTransformsL(const TPayloadISAKMP *aPayload,TUint32 aLengthLeft); |
|
222 TInt ProcessTransforms2L(const TPayloadISAKMP *aPayload,CProposal_II *aProp,TUint32 aLengthLeft); |
|
223 TInt ProcessAttributesL(const TPayloadISAKMP *aPayload,TAttrib *aAttrib); //checks and return the SA attributes |
|
224 TInt ProcessAttributes2L(const TPayloadISAKMP *aPayload,TAttrib_II *aAttrib,TUint8 aProtocol); //checks and return the SA attributes |
|
225 TBool ProcessKeyL(const TKeyISAKMP *aKey); //check payload and stores public key value |
|
226 TBool ProcessNonceL(const TPayloadISAKMP *aPayload); |
|
227 TBool ProcessStage1_II_IDsL(const TIdentISAKMP *aInit_ID_payload,const TIdentISAKMP *aResp_ID_payload, CProposal_IIList *aRecv_proposals); |
|
228 TBool ProcessStage2_II_IDsL(const TIdentISAKMP *aInit_ID_payload,const TIdentISAKMP *aResp_ID_payload);//, CProposal_IIList *aRecv_proposals); |
|
229 TBool CheckIdentL(const TPayloadISAKMP *aPayload); |
|
230 TBool ProcessCertificateReqL(const TCertificateReqISAKMP *aCertReq); |
|
231 TBool ProcessCertificateReqArrayL(const CArrayFixFlat<const TCertificateReqISAKMP *> *aCRPayloadArray); |
|
232 TBool ProcessCertificateArrayL(CArrayFixFlat<const TCertificateISAKMP *> *aCertArray); |
|
233 TBool ProcessSignatureL(const TSignatureISAKMP *aPayload); |
|
234 TBool ProcessHashL(const THashISAKMP *aHashPayload); |
|
235 TBool ProcessHash2L(const ThdrISAKMP &aHdr, const THashISAKMP *aHashPayload, TUint aPadding); |
|
236 TBool ProcessNotificationL(const TNotificationISAKMP *aNotifPayload); |
|
237 TBool ProcessResponderLifetimeL(const TNotificationISAKMP *aNotifPayload); |
|
238 TBool ProcessReplayStatus(const TNotificationISAKMP *aNotifPayload); |
|
239 TBool ProcessInitialContactL(const TNotificationISAKMP *notif_payload); |
|
240 void ProcessVendorL(CArrayFixFlat<const TVendorISAKMP*>* aVids); |
|
241 void ProcessIntAddrL(const TINTNETISAKMP *aIntnetPayload); |
|
242 |
|
243 TBool Phase_IExchangeL(const ThdrISAKMP &aHdr); |
|
244 TBool Phase_IIExchangeL(const ThdrISAKMP &aHdr); |
|
245 void QuickModeReplyL(); |
|
246 void MainModeReplyL(); |
|
247 void AggressiveReplyL(); |
|
248 |
|
249 //Certificate reading functions |
|
250 TBool ReadCAsL(CArrayFixFlat<TCertInfo*> *aCAList); |
|
251 TBool ReadOwnCertL(); |
|
252 |
|
253 TCookie CreateCookieL() const; |
|
254 TBool CheckCookies(const TCookie& aInit, const TCookie& aResp); |
|
255 TBool CheckPayloadCode(TUint8 aPayload); |
|
256 TBool CheckVersionL(TUint8 aVersion); |
|
257 TBool CheckExchangeTypeL(TUint8 aType); |
|
258 TBool CheckFlagsL(TUint8 aFlags); |
|
259 TBool CheckMessageIdL(TUint32 aId); |
|
260 TBool CheckDOI(TUint32 aDOI); |
|
261 TBool CheckSituationL(TUint32 aSIT); |
|
262 TBool CheckGenericPayloadL(const TPayloadISAKMP *aPayload); |
|
263 TBool CheckProtocolL(TUint8 aProtocol); //checks if protocol supported |
|
264 TBool CheckSPIL(const TProposalISAKMP *aProposal); //checks if the SPI is valid |
|
265 TBool CheckTransformID(TUint8 aProtocol,TUint8 aID); |
|
266 |
|
267 //SA Attributes checking functions |
|
268 TBool CheckEncrAlg(TUint16 aValue); |
|
269 TBool CheckHashAlg(TUint16 aValue); |
|
270 TBool CheckAuthMethod(TUint16 aValue); |
|
271 TBool CheckGroupDesc(TUint16 aValue); |
|
272 TBool CheckGroupType(TUint16 aValue); |
|
273 TBool CheckGroupPrime(const TUint8* aValue, TUint16 length); |
|
274 TBool CheckGroupGen(const TUint8* aValue, TUint16 length); |
|
275 TBool CheckGroupCurve(const TUint8* aValue, TUint16 length); |
|
276 TBool CheckLifeType(TUint16 aValue); |
|
277 TBool CheckLifeDuration(const TUint8* aValue, TUint16 length); |
|
278 TBool CheckPRF(TUint16 aValue); |
|
279 TBool CheckKeyLength(TUint16 aValue,TUint8 aID,TUint8 aProtocol); |
|
280 TBool CheckFieldSize(TUint16 aValue); |
|
281 TBool CheckGroupOrder(const TUint8* aValue, TUint16 length); |
|
282 TBool CheckEncMode(TUint16 aValue); |
|
283 TBool CheckAuthAlg(TUint16 aValue); |
|
284 |
|
285 //Certificate payload checks |
|
286 TBool CertifyRemoteIdentityL(const TIdentISAKMP *aIdPayload); |
|
287 TInt CheckEncodingL(TUint8 aEncoding); |
|
288 |
|
289 |
|
290 //Signatures |
|
291 TBool VerifySignatureL(CX509Certificate *aCert,TUint8 *iHash, TInt aLength,TUint8 *aSig,TUint aSigLength); |
|
292 |
|
293 |
|
294 //Diffie-Hellman Exchange Routines |
|
295 TBool ComputeDHPublicValueL(); |
|
296 void ComputeNonceL(); |
|
297 |
|
298 //Hash and Signature computation |
|
299 void ComputeHashrL(TDes8 &aHash); |
|
300 void ComputeHash1L(TDes8 &aHash); |
|
301 void ComputeHash2L(TDes8& aHash,TInt aStage,const TUint8 *aHashMsg=NULL,TInt aHashMsgLen=0); |
|
302 TBool VerifyHash2L(const THashISAKMP *iHash,const TUint8 *aHashMsg=NULL,TInt aHashMsgLen=0); |
|
303 TBool VerifyInformationalHashL(const THashISAKMP *aHash,const TPayloadISAKMP *aPayload, TUint32 iMessageId); |
|
304 void ComputeHashInfL(TDes8& aHash,const TUint8 *aHashMsg,TInt aHashMsgLen); |
|
305 |
|
306 //Send a Notification packet informing of an error. |
|
307 void SendNotifyL(TUint16 aError); |
|
308 |
|
309 void CheckSendResponderLifetime(TIkev1IsakmpStream &aMsg); |
|
310 static TPtrC ExchangeType(TUint8 aExchange); |
|
311 static void TextPayload(TDes &aBuf, TUint8 aPayload); |
|
312 static TPtrC TextNotifyType(TUint16 aNotif); |
|
313 |
|
314 //PFKEY related functions |
|
315 void AcquireSAErrorResponse(TInt aError); |
|
316 void GetSPIL(); |
|
317 void ReceiveSPIL(TUint32 aSPI, TUint32 aSeq); |
|
318 |
|
319 void UpdateSADatabaseL(); |
|
320 |
|
321 void ComputeLifetimes_II(const TDesC8 &aLifetime, const TDesC8 &aLifesize, TInt64 &aTime, TInt64 &aBytes); |
|
322 |
|
323 //CRACK related functions |
|
324 TBool StartCRACKAuthL(); |
|
325 |
|
326 TBool IsakmpPhase1CompletedL(); |
|
327 |
|
328 //Socket |
|
329 void SendL(TIkev1IsakmpStream &aMsg); |
|
330 |
|
331 inline TUint Role() {return iRole;} |
|
332 inline CIkev1PluginSession* PluginSession() {return iPluginSession;} |
|
333 TInt HashLength(); //Output size for PRF algorithm |
|
334 |
|
335 TUint32 ISAKMPEncrKeyLength(TUint8 aAlgId) const; //in bytes |
|
336 TUint32 HMAC_KeyLength(TUint8 aId) const; |
|
337 |
|
338 //builds the correct key using the values in iNegotiation |
|
339 TBool ComputeKeysL(); |
|
340 void ComputeKeys2L(const CProposal_II *aProp, TInt aKeyLen, TSPINode &aInboundSpiNode, TDes8& aOutboundKey_II, TDes8& aInboundKey_II); |
|
341 void ComputePRFL(TDes8 &prf_output, const TDesC8 &prf_key, const TDesC8 &prf_data); |
|
342 TBool InitIVL(); //Initial IV value |
|
343 TBool ComputeIVL(TDes8 &aIV, TInt32 aMessageId); //subsequent IV computations |
|
344 //Encryption routines |
|
345 void AppendAttributeError(TInt aErr, TDes &aBuf) const; |
|
346 void SaveISAKMPSAL(); |
|
347 void CreateChosenProposalL(CProposal_IIList* aPropList, TInt aPropNum, CTransModifierList *aTransArray); |
|
348 TBool ExamineRemoteIdentity(const TDesC8& aRemoteIdInPolicy); |
|
349 TBool ProcessIdentityData(const TDesC8& aIdentity, TUint8* aToIdType, TInetAddr* aToIpAddr1, TInetAddr* aToIpAddr2); |
|
350 |
|
351 void DpdNotifyMessageReceivedL(TIkev1SAData* aSa, TUint16 aMsgType, TUint32 aSequence); |
|
352 TUint32 GetNextSequence(TUint32 aSequence); |
|
353 void SendDpdNotifyMessageL(TUint16 aMsgType, TUint32 aSequence); |
|
354 |
|
355 TInt ErrorStatus(); |
|
356 void SetErrorStatus(TInt aStatus); |
|
357 |
|
358 void SendAndSaveIkeMsgL( const TDesC8& aIkeMsg, |
|
359 TInetAddr& aDestAddr, |
|
360 TBool aUseNatPort ); |
|
361 |
|
362 TBool IsRetransmit(TLastIKEMsg& aRef); |
|
363 void SaveRetransmitInfo(TLastIKEMsg& aRef); |
|
364 void SaveLastMsgL(); |
|
365 |
|
366 public: |
|
367 TCookie iCookie_I; // Initiator Cookie (Used with responder to create KEYID) |
|
368 TCookie iCookie_R; // Responder Cookie |
|
369 TUint32 iSAId; |
|
370 TUint32 iMessageId; // Message Id. o during Phase I |
|
371 CIkev1Negotiation *iNext; // A link field to maintain negotiations. |
|
372 |
|
373 private: |
|
374 //Data relevant to the host |
|
375 CIkeData *iHostData; |
|
376 |
|
377 //Internal Data |
|
378 TInetAddr iLocalAddr; |
|
379 TInetAddr iRemoteAddr; // Remote Address (Gateway or end host) |
|
380 |
|
381 |
|
382 TUint iRole; // If we are PHASE I Initiator or Responder |
|
383 TUint iPhase; // Phase I or II |
|
384 TUint iStage; // Negotiation Stage |
|
385 |
|
386 //Header Data |
|
387 TUint8 iExchange; // IKE mode in use (Main, agressive,...) |
|
388 TUint8 iPrevExchange; // Used to process the last msg of Phase I |
|
389 |
|
390 TUint8 iFlags; // Own flags to use when sending a msg header |
|
391 TUint8 iRecvFlags; // Received flags in the last msg header |
|
392 TBool iCommitBitSet; // If true the Commit bit has been set by this host |
|
393 TUint32 iNotifyMessageId; // Message Id. for Informational Exchanges |
|
394 TLastIKEMsg iLastIKEMsgInfo;// Information of the last received IKE message |
|
395 |
|
396 //SA Data |
|
397 TUint8 *iSAPayload; // Initiator SA payload (used in the hash computation). Generic payload NOT included |
|
398 TInt iSAPayloadSize; |
|
399 TUint32 iDOI; // Must be IPSEC = 1 |
|
400 |
|
401 //Proposal/transform list Phase I and II |
|
402 TProposal iProposal_I; // Contains proposed SA attrib for Phase I with it's attr list |
|
403 TProposal iChosenProposal_I; |
|
404 CProposal_IIList *iProposal_IIList; //Contains the Phase_II Proposal List (PROPOSED) |
|
405 CProposal_IIList *iChosenProp_IIList; //Contains the Phase_II Proposal List (Received from the remote peer) |
|
406 |
|
407 |
|
408 TInt iProposalNum; //Accepted proposed proposal. Needed to know which are the valid SPIs in the next list |
|
409 CArrayFixFlat<TSPINode> *iInboundSPIList; |
|
410 |
|
411 //Keys (DH Generated public value when own) |
|
412 CIkeKeys *iOwnKeys; //Contains own public and private keys |
|
413 HBufC8 *iOwnPublicKey; |
|
414 TPtrC8 iOwnPublicKey_ptr; |
|
415 TBuf8<MAX_PRIME_SIZE> iPeerPublicKey; //(gxr) |
|
416 TBuf8<IKEV1_KEY_MATERIAL_SIZE> iSKEYID; //KEY used for encryption/decryption of messages |
|
417 TBuf8<IKEV1_KEY_MATERIAL_SIZE> iSKEYID_d; //KEY used to derive keys for non-ISAKMP SAs |
|
418 TBuf8<IKEV1_KEY_MATERIAL_SIZE> iSKEYID_a; //KEY used for authentication of ISAKMP messages |
|
419 TBuf8<IKEV1_KEY_MATERIAL_SIZE> iSKEYID_e; //KEY used for encryption/decryption of ISAKMP messages |
|
420 |
|
421 //IV used by des_cbc and des3_cbc is 8 and for AES 16 |
|
422 TBuf8<IKEV1_MAX_IV_SIZE> iIV; //normal IV |
|
423 TBuf8<IKEV1_MAX_IV_SIZE> iLastIV; //Saves the last IV of PHASE_I to compute iNotifIV everytime and the first IV in Quick mode |
|
424 TInt iIVSize; //Current IV/cipher block size |
|
425 |
|
426 //Perfect Forward Secrecy |
|
427 TBool iPFS; |
|
428 |
|
429 //Replay Window Length |
|
430 //TInt8 iReplayWindowLength; |
|
431 |
|
432 //Nonces |
|
433 TBuf8<MAX_PRIME_SIZE> iNONCE_I; |
|
434 TBuf8<MAX_PRIME_SIZE> iNONCE_R; |
|
435 |
|
436 //IDENTITY info |
|
437 TUint8 *iPeerIdentPayload; //Full Peer ID payload for HASH_I/R computation.Generic payload NOT included |
|
438 TInt iPeerIdentPayloadSize; |
|
439 TUint8 *iOwnIdentPayload; //Full own ID payload for HASH_I/R computation.Generic payload NOT included |
|
440 TInt iOwnIdentPayloadSize; |
|
441 //TUint8 iIDType; |
|
442 TUint16 iIDLocalPort; |
|
443 TUint16 iIDRemotePort; |
|
444 TUint8 iIDProtocol; |
|
445 TBool iIDReceived; |
|
446 |
|
447 TBool iSwapRemoteIdType; |
|
448 TBool iDefaultRemoteID; //To avoid updating the Remote ID if a default is being used |
|
449 TInetAddr iRemoteAddr1_ID_II;// Remote proxy Address, subnet or initial range |
|
450 TInetAddr iRemoteAddr2_ID_II;// Remote proxy mask or end range |
|
451 TUint8 iRemoteIDType_II; |
|
452 TBool iDefaultLocalID; //To avoid updating the Local ID if a default is being used |
|
453 TInetAddr iLocalAddr1_ID_II; // Local proxy Address, subnet or initial range |
|
454 TInetAddr iLocalAddr2_ID_II; // Local proxy mask or end range if implemented |
|
455 TUint8 iLocalIDType_II; |
|
456 |
|
457 // |
|
458 //IETF NAT Traversal information |
|
459 // |
|
460 CIkev1NatDiscovery *iNatDiscovery; // IETF NAT traversal control object pointer |
|
461 TUint32 iNAT_D_Flags; // If not zero, there is NAT between sites |
|
462 TInetAddr iLastRemoteAddr; // Last detected remote address |
|
463 TInetAddr iRemoteOriginalAddr; // Private address of the remote end |
|
464 |
|
465 // |
|
466 //NAT Traversal information |
|
467 // |
|
468 TBool iFamiliarPeer; // Nokia VPN implementation detected in peer |
|
469 TBool iNAT_T_Required; // True when NAT detected between local end and peer |
|
470 |
|
471 // |
|
472 // Dead peer detection support |
|
473 // |
|
474 TBool iDPDSupported; // Both ends support DPD |
|
475 |
|
476 // |
|
477 //Internal address information received from Nokia VPN gateway |
|
478 // |
|
479 CInternalAddress *iInternalAddr; //Internal address and possible DNS addresses |
|
480 |
|
481 // |
|
482 // Certificates |
|
483 // |
|
484 TUint8 iEncoding; |
|
485 CX509Certificate *iPeerX509Cert; //Received X509 certificate (or read in RSA encryption if already stored). |
|
486 |
|
487 // |
|
488 // Trusted CA certificates list |
|
489 // |
|
490 HBufC8* iPeerTrustedCA; //Trusted CA (of peer) |
|
491 HBufC8* iICA1; //Level 1 Intermediate certificate |
|
492 HBufC8* iICA2; //Level 2 Intermediate certificate |
|
493 HBufC8* iCA; |
|
494 HBufC8* iOwnCert; //Certificate in use |
|
495 |
|
496 TBool iSendCert; //Tells if is Required to send our cert in next stage (Told in a Cert Req.) |
|
497 TBool iCertRequested; //Tells whether we've requested a CERT through a CR |
|
498 |
|
499 //PFKEY related data |
|
500 TBool iAcquirePending; //Informs if Acquire is pending |
|
501 TUint32 iAcquireSeq; //Seq num received in the acquire msg. will be used for UPDATE |
|
502 TUint32 iSeq; //Current Seq. num will be used in GETSPI |
|
503 TUint32 iPfkeyAcquirePID; //PID in the acquire msg. will be used in GETSPI |
|
504 TUint8 iPendingSPI; // Used for GetSPI and Receive in case there are many SPI to request |
|
505 |
|
506 //Miscellanious data |
|
507 HBufC8* iLastMsg; // Last message sent (Used for retransmissions). |
|
508 CIkev1Timeout *iTimer; // Timer to retry sending a message |
|
509 TInt iRetryNum; // Number of retry in the current message |
|
510 TBool iFinished; //Tells if the negotiation is finished to destroy it |
|
511 TBool iAutoLogin; //If ETrue, Negotiation started by policy activation |
|
512 TInt iReceivedNotify; //Status value of (the first) received Notify payload |
|
513 TUint32 iLengthLeft; //Use to check the size of a payload is not bigger than the data left to process |
|
514 |
|
515 //References to objects |
|
516 CIkev1PluginSession* iPluginSession; // IKEv1 plugin session |
|
517 CIkeV1PkiService* iPkiService; |
|
518 CIKECRACKNegotiation* iCRACKneg; |
|
519 CTransNegotiation* iTransactionNeg; |
|
520 CSARekeyInfo* iSARekeyInfo; |
|
521 TIkev1IsakmpStream* iSavedIkeMsgBfr; |
|
522 TBool iVendorIDRfc; |
|
523 |
|
524 TBool iPhaseIIAfterIkeSaRekey; // Start PhaseII after IKE SA rekeying |
|
525 TInt64 iHardLifetime; |
|
526 |
|
527 CIpsecSaSpiRetriever* iIpsecSaSpiRetriever; |
|
528 CPFKeySocketIf& iPFKeySocketIf; |
|
529 MIkeDebug& iDebug; |
|
530 }; |
|
531 |
|
532 #endif // C_IKEV1NEGOTIATION_H |