|
1 /* |
|
2 * Copyright (c) 2005-2009 Nokia Corporation and/or its subsidiary(-ies). |
|
3 * All rights reserved. |
|
4 * This component and the accompanying materials are made available |
|
5 * under the terms of "Eclipse Public License v1.0" |
|
6 * which accompanies this distribution, and is available |
|
7 * at the URL "http://www.eclipse.org/legal/epl-v10.html". |
|
8 * |
|
9 * Initial Contributors: |
|
10 * Nokia Corporation - initial contribution. |
|
11 * |
|
12 * Contributors: |
|
13 * |
|
14 * Description: IKEv2 negotiation |
|
15 * |
|
16 */ |
|
17 #ifndef _IKEV2NEGOTIATION_H_ |
|
18 #define _IKEV2NEGOTIATION_H_ |
|
19 |
|
20 #include <x509cert.h> |
|
21 |
|
22 #include "ikev2SAdata.h" |
|
23 #include "ikev2natt.h" |
|
24 #include "pfkeymsg.h" |
|
25 #include "ikev2payloads.h" |
|
26 #include "ikev2mobike.h" |
|
27 #include "ikev2retransmittimer.h" |
|
28 #include "ikecrypto.h" |
|
29 #include "ikemsgrec.h" |
|
30 #include "kmdapi.h" |
|
31 #include "ikev2pkiservice.h" |
|
32 #include "ikecert.h" |
|
33 #include "ipsecsaspiretriever.h" |
|
34 #include "ikev2ipsecsadata.h" |
|
35 #include "ikev2EapInterface.h" |
|
36 |
|
37 static const TUint16 KMaxSendAttemps = 6; |
|
38 |
|
39 #define DEF_MSG_ID_WINDOW 1 |
|
40 |
|
41 #define IKEV2_DEF_NONCE_SIZE (160/8) //160 bits = 20 bytes |
|
42 #define IKEV2_MIN_NONCE_SIZE (128/8) //128 bits = 16 bytes |
|
43 #define IKEV2_DEF_LIFETIME 14400 //4 hours |
|
44 |
|
45 // |
|
46 // IKE/IPSEC SA negotiation states |
|
47 // |
|
48 const TInt KStateIdle = 0; |
|
49 const TInt KStateIkeInitPkiService = 1; |
|
50 const TInt KStateIkeSaInitRequest = 2; |
|
51 const TInt KStateIkeSaAuthRequest = 4; |
|
52 const TInt KStateIkeWaitingId = 5; |
|
53 const TInt KStateIkeSaEapStarted = 6; |
|
54 const TInt KStateIkeSaEapGoing = 7; |
|
55 |
|
56 const TInt KStateIkeSaInitResponse = 11; |
|
57 const TInt KStateIkeSaAuthWaitSpi = 12; |
|
58 const TInt KStateIkeSaAuthResponse = 14; |
|
59 |
|
60 |
|
61 const TInt KStateIkeSaCompleted = 20; |
|
62 |
|
63 const TInt KStateIkeChildSARequest = 21; |
|
64 const TInt KStateIkeChildSAResponse = 22; |
|
65 |
|
66 const TInt KStateIkeSARekeyRequest = 23; |
|
67 const TInt KStateIkeSARekeyResponse = 24; |
|
68 |
|
69 const TInt KStateIkeInfoRequest = 31; |
|
70 const TInt KStateIkeInfoResponse = 32; |
|
71 const TInt KStateIkeDeleteRequest = 33; |
|
72 const TInt KStateIkeDeleteResponse = 34; |
|
73 const TInt KStateChildDeleteRequest = 35; |
|
74 const TInt KStateChildDeleteResponse = 36; |
|
75 |
|
76 class CIkev2PluginSession; |
|
77 class CPFKeySocketIf; |
|
78 class CIkev2Config; |
|
79 class CIkeData; |
|
80 class CIkev2Acquire; |
|
81 class CIkev2Expire; |
|
82 class MKmdEventLoggerIf; |
|
83 class MIkeDebug; |
|
84 class CIkeV2Message; |
|
85 class CIkeV2Identity; |
|
86 class CIkev2MessageSendQueue; |
|
87 |
|
88 /** |
|
89 * CIkev2Negotiation |
|
90 * |
|
91 * @lib internal (ikev2lib.lib) |
|
92 */ |
|
93 NONSHARABLE_CLASS(CIkev2Negotiation) : public CBase, |
|
94 public MIkeV2PkiServiceObserver, |
|
95 public MIpsecSaSpiRetrieverCallback, |
|
96 public MIkev2EapIfObserver, |
|
97 public MIkev2RetransmitTimerCallback |
|
98 { |
|
99 friend class Ikev2MobIke; |
|
100 |
|
101 public: |
|
102 |
|
103 /** |
|
104 * NewL |
|
105 * |
|
106 * @since S60 ?S60_version |
|
107 * @param aControl Plugin control. Must be != NULL |
|
108 * ownership not taken. |
|
109 * @param aIkeData ?description |
|
110 * @param aVpnIapId ?description |
|
111 * @param aPhysicalInterfaceAddress IP address of the physical connection with scope. |
|
112 * @param aRemote ?description |
|
113 * @return self |
|
114 */ |
|
115 static CIkev2Negotiation* NewL(CIkev2PluginSession& aIkeV2PlugInSession, |
|
116 CPFKeySocketIf& aPfKeySocketIf, |
|
117 MKmdEventLoggerIf& aEventLogger, |
|
118 CIkev2MessageSendQueue& aMessageSendQue, |
|
119 MIkeDebug& aDebug, |
|
120 CIkeData* aIkeData, |
|
121 TUint32 aVpnIapId, |
|
122 TUint32 aSAId, |
|
123 TInetAddr aPhysicalInterfaceAddress, |
|
124 TInetAddr aRemoteAddress); |
|
125 |
|
126 /** |
|
127 * NewL |
|
128 * |
|
129 * @since S60 ?S60_version |
|
130 * @param aControl Plugin control. Must be != NULL |
|
131 * ownership not taken. |
|
132 * @param aSAId ?description |
|
133 * @return self |
|
134 */ |
|
135 static CIkev2Negotiation* NewL(CIkev2PluginSession& aIkeV2PlugInSession, |
|
136 CPFKeySocketIf& aPfKeySocketIf, |
|
137 MKmdEventLoggerIf& aEventLogger, |
|
138 CIkev2MessageSendQueue& aMessageSendQue, |
|
139 MIkeDebug& aDebug, |
|
140 TIkev2SAData& aIkev2SAdata); |
|
141 |
|
142 ~CIkev2Negotiation(); |
|
143 |
|
144 void StartIkeSANegotiationL(); |
|
145 TBool StartRespondingL(const ThdrISAKMP& aIkeMessage); |
|
146 void StartIkeSADeleteL(); |
|
147 void ProcessIkeMessageL(const ThdrISAKMP& aIkeMessage, const TInetAddr& aRemote, TUint16 aLocalPort); |
|
148 void ProcessAcquireL(const TPfkeyMessage& aPfkeyMessage); |
|
149 void ProcessExpireL(const TPfkeyMessage& aPfkeyMessage); |
|
150 void StartIpsecSaRekeyingL(const TPfkeyMessage &aPfkeyMsg); |
|
151 void BuildIkeSaRekeyMsgL(TBool aRequest); |
|
152 |
|
153 void SendKeepAliveMsgL(); |
|
154 |
|
155 TBool Stopped(); |
|
156 |
|
157 void CancelOperation(); |
|
158 |
|
159 // from base class MIkeV2PkiServiceObserver |
|
160 void IkeV2PkiInitCompleteL(TInt aStatus); |
|
161 |
|
162 // from base class MIpsecSaSpiRetrieverCallback |
|
163 void IpsecSaSpiRetrieved(TUint32 aSpiRequestId, |
|
164 TInt aStatus, |
|
165 TUint32 aSpi); |
|
166 |
|
167 |
|
168 // from base class MIkev2EapIfObserver |
|
169 void SendEapDataL(HBufC8* aEapData); |
|
170 void EapEventL(TInt aEvent); |
|
171 |
|
172 // from base class MIkev2RetransmitTimerCallback |
|
173 |
|
174 /** |
|
175 * From MIkev2RetransmitTimerCallback |
|
176 * Request IKE request resend. |
|
177 */ |
|
178 void RetransmitRequest(); |
|
179 |
|
180 private: // implementation |
|
181 CIkev2Negotiation(CIkev2PluginSession& aIkeV2PlugInSession, |
|
182 CPFKeySocketIf& aPfKeySocketIf, |
|
183 MKmdEventLoggerIf& aEventLogger, |
|
184 CIkev2MessageSendQueue& aMessageSendQue, |
|
185 MIkeDebug& aDebug, |
|
186 TUint32 aSaId); |
|
187 void ConstructL(); |
|
188 |
|
189 TBool ImplicitChildSa(); |
|
190 HBufC8* PeekProposedSa(); |
|
191 HBufC8* GetProposedSa(); |
|
192 void SetProposedSa(HBufC8* aSaPl); |
|
193 |
|
194 CIkev2Acquire** GetAcquireQue(); |
|
195 CIkev2Expire** GetExpireQue(); |
|
196 TBool RequestsPending(); |
|
197 void SetNotifyCode(TInt aMsgType); |
|
198 TInt GetNotifyCode(); |
|
199 void StoreNotifyData32(TUint32 aData); |
|
200 void StoreNotifyData16(TUint16 aData); |
|
201 TUint8* NotifyData(TInt& aDataLth); |
|
202 TInetAddr GetLocalAddr() const; |
|
203 |
|
204 void IkeSaCompletedL(); |
|
205 void IkeSaFailed(TInt aStatus = KKmdIkeNoResponseErr); |
|
206 void IpsecSANegotiatedL(); |
|
207 void CheckNotifyCodeL(CIkev2Payloads* IkeMsg); |
|
208 void CreateIkeSPI(TIkeSPI& aSPI, TBool aRekey=EFalse); |
|
209 void GetNatStatus(TBool aSupported, const TInetAddr& aRemote); |
|
210 void GetIpsecSPI(CIkev2Acquire* aAcquire); |
|
211 |
|
212 void GetNonceDataL(TBool aInitiator); |
|
213 void GetOwnIdentityL(TBool aEapIdResponse=EFalse); |
|
214 |
|
215 void LoadEapPluginL(); |
|
216 TBool InitPkiServiceL(); |
|
217 void StartIkeSaInitL(); |
|
218 void SendIkeAuthMessageL(); |
|
219 |
|
220 void ContinueIkeNegotiationL(); |
|
221 void BuildChildSAMessageL(CIkev2Acquire* aAcquire, TBool aInitiator); |
|
222 void BuildDeleteRequestL(CIkev2Expire* aExpire); |
|
223 |
|
224 //Send the ike message. Claims the ownership of the message. |
|
225 void SendIkeMsgL(CIkeV2Message* aMsg); |
|
226 |
|
227 TBool ProcessIkeSaInitL(CIkev2Payloads* aIkeMsg, const TInetAddr& aRemote); |
|
228 TBool ProcessIkeAuthL(CIkev2Payloads* aIkeMsg); |
|
229 TBool ProcessChildSaL(CIkev2Payloads* aIkeMsg); |
|
230 TBool ProcessInfoMsgL(CIkev2Payloads* aIkeMsg); |
|
231 TBool ProcessIkeSARekeyL(CIkev2Payloads* aIkeMsg); |
|
232 TBool ProcessDeletePayloadsL(const CArrayFixFlat<TDeletePlIkev2*>& aDeletes, TBool aRequest); |
|
233 TBool ProcessNotifyPayloadsL(const CArrayFixFlat<TNotifPayloadIkev2*>& aNotifys, TBool aRequest, TInt aExchange); |
|
234 TBool ProcessCookieL(const CArrayFixFlat<TNotifPayloadIkev2*>& aNotifys, TBool aRequest); |
|
235 void ProcessInvalidKePayloadNotifyL(); |
|
236 |
|
237 void GenerateIkeKeysL(TIkev2SAData* aRekeydSaData=NULL); |
|
238 |
|
239 void SaveSignedDataL(TBool aLocal, const TDesC8& aIkeMsg); |
|
240 void AddIdToSignedDataL(TBool aLocal, HBufC8* aSigned, const TDesC8& aIdData); |
|
241 HBufC8* SignAuthDataL(const TDesC8& aAuthData, TUint8 aAuthMethod); |
|
242 TBool AddIdAndAuthenticatePeerL(CIkev2Payloads* aIkeMsg); |
|
243 TBool AuthenticatePeerL(TAuthPayloadIkev2* aAuth); |
|
244 TBool VerifyPeerCertificateL(CArrayFixFlat<TCertPayloadIkev2*>* aCerts, TIDPayloadIkev2* aId ); |
|
245 |
|
246 TBool ProcessKeyExchangeL(TKEPayloadIkev2* aKePayload, TUint16 aGroup); |
|
247 |
|
248 void AppendKEPayloadL(CIkeV2Message& aIkeMsg, TUint16 aDHGroup); |
|
249 |
|
250 TPayloadIkev2* PadEncrPayload(HBufC8* aMsg, TPayloadIkev2* aEncrPl); |
|
251 TUint16 TotalLength( TPayloadIkev2* aLoad, TPayloadIkev2* aLoad2 ); |
|
252 TBool CheckPayloadsOrder(CIkev2Payloads* aIkeMsg, TUint8 aExchange, TBool aResponse); |
|
253 TPayloadIkev2* BuildI2CertPayload(HBufC8* aMsg, TPayloadIkev2* aPrevPl); |
|
254 TPayloadIkev2* BuildI1CertPayload(HBufC8* aMsg, TPayloadIkev2* aPrevPl); |
|
255 |
|
256 void IpsecSaSpiRetrievedL(TUint32 aSpiRequestId, TUint32 aSpi); |
|
257 |
|
258 /** |
|
259 * Handles IKE datagram resend. |
|
260 */ |
|
261 void DoRetransmitL(TBool aResponse=EFalse); |
|
262 |
|
263 public: // Data |
|
264 // |
|
265 // Header Data (Common with IKEv2 SA) |
|
266 // |
|
267 TIkev2SAData iHdr; // Common negotiation info for IKE SA |
|
268 TIkeV2IpsecSAData iChild; // Common negotiation info for IPSEC SA |
|
269 CIkev2PluginSession& iIkeV2PlugInSession; // IKEv2 plugin engine |
|
270 |
|
271 |
|
272 CIkev2Negotiation* iNext; // A link field to maintain negotiations. |
|
273 |
|
274 private: // Data |
|
275 |
|
276 CPFKeySocketIf& iPfKeySocketIf; |
|
277 MKmdEventLoggerIf& iEventLogger; |
|
278 CIkev2MessageSendQueue& iMessageSendQue; |
|
279 MIkeDebug& iDebug; |
|
280 |
|
281 CIpsecSaSpiRetriever* iSpiRetriever; |
|
282 |
|
283 TInt iState; // Negotiation State |
|
284 TUint32 iSAid_Rekey;// Rekeyed SAid |
|
285 TIkeSPI iSPI_Rekey; // Local SPI for rekeyed IKE SA |
|
286 TBool iStopped; // Negotiation failed indicator |
|
287 TBool iDeleteIkeSA; // A notify message received from peer which requires IKE SA to be deleted |
|
288 TBool iChildSARejected; // A notify message received which indicates that Child SA is not accepted |
|
289 |
|
290 TBool iDeactivateGoing; // Negotiation started due deactivate |
|
291 TBool iCookieReturned; // Cookie returned to responder |
|
292 TBool iPkiAuthRequired; // Private key signature is required as authentication |
|
293 TBool iEapCompleted; // EAP authentication completed succesfully |
|
294 TBool iPeerIdInSignedData; // Peer id has already been added to signed data |
|
295 TBool iRekeyCollision; // Rekey collision occurred |
|
296 TBool iProcessEvents; // Indicates whether the object is accepting events (not accepting when destructor called) |
|
297 |
|
298 CIkev2RetransmitTimer* iTimer; // Timer to retransmit IKE request message |
|
299 CDHKeys* iDHKeys; // Diffie-Hellman calculation object |
|
300 CIkev2NatT* iNatNotify; // Pointer to IKEv2 NAT Traversal object |
|
301 CIkev2Config* iConfigMode; // Pointer to IKEv2 Config object |
|
302 CIkev2EapIf* iEapPlugin; // Pointer to IKEv2 EAP interface object |
|
303 CIkeV2PkiService* iPkiService; // Pointer to PKI service Interface object |
|
304 HBufC8* iSavedSaInit; // Saved IKE_SA_INIT request (waiting PKI service init) |
|
305 HBufC8* iProposedSA; // Proposed IKE/IPSEC SA payload content |
|
306 HBufC8* iDHPublicPeer; // Diffie-Hellman Public value (peer) |
|
307 HBufC8* iNonce_I; // Initiator Nonce |
|
308 HBufC8* iNonce_R; // Responder Nonce |
|
309 HBufC8* iAuthMsgInit; // Signed octet buffer (for initiator AUTH payload) |
|
310 HBufC8* iAuthMsgResp; // Signed octet buffer (for responder AUTH payload) |
|
311 HBufC8* iPresharedKey; // Configured preshared key- or EAP MSK data buffer |
|
312 |
|
313 CIkeV2Identity* iLocalIdentity; |
|
314 CIkeV2Identity* iRemoteIdentity; |
|
315 |
|
316 CX509Certificate* iPeerCert; // Verified peer certificate |
|
317 |
|
318 TUint16 iSendAttempt; |
|
319 TInt iNotifyCode; // Error status for Notification payload |
|
320 TInt iNotifyDataLth; // Notify data length |
|
321 TUint8 iNotifyData[4]; // Short notify data packed into network order |
|
322 |
|
323 CIkev2Acquire* iChildSaRequest;// On going Child SA request |
|
324 CIkev2Acquire* iAcquireFirst; // Pending PFKEY Acquire request |
|
325 CIkev2Expire* iExpireFirst; // Pending PFKEY Expire request |
|
326 |
|
327 TInt iDHGroupGuess; //Number of DH group guess retries for IKE_SA_INIT resquest |
|
328 }; |
|
329 #endif // _IKEV2NEGOTIATION_H_ |