diff -r 000000000000 -r 33413c0669b9 vpnengine/ikev2lib/inc/ikev2Negotiation.h --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/vpnengine/ikev2lib/inc/ikev2Negotiation.h Thu Dec 17 09:14:51 2009 +0200 @@ -0,0 +1,329 @@ +/* +* Copyright (c) 2005-2009 Nokia Corporation and/or its subsidiary(-ies). +* All rights reserved. +* This component and the accompanying materials are made available +* under the terms of "Eclipse Public License v1.0" +* which accompanies this distribution, and is available +* at the URL "http://www.eclipse.org/legal/epl-v10.html". +* +* Initial Contributors: +* Nokia Corporation - initial contribution. +* +* Contributors: +* +* Description: IKEv2 negotiation +* +*/ +#ifndef _IKEV2NEGOTIATION_H_ +#define _IKEV2NEGOTIATION_H_ + +#include + +#include "ikev2SAdata.h" +#include "ikev2natt.h" +#include "pfkeymsg.h" +#include "ikev2payloads.h" +#include "ikev2mobike.h" +#include "ikev2retransmittimer.h" +#include "ikecrypto.h" +#include "ikemsgrec.h" +#include "kmdapi.h" +#include "ikev2pkiservice.h" +#include "ikecert.h" +#include "ipsecsaspiretriever.h" +#include "ikev2ipsecsadata.h" +#include "ikev2EapInterface.h" + +static const TUint16 KMaxSendAttemps = 6; + +#define DEF_MSG_ID_WINDOW 1 + +#define IKEV2_DEF_NONCE_SIZE (160/8) //160 bits = 20 bytes +#define IKEV2_MIN_NONCE_SIZE (128/8) //128 bits = 16 bytes +#define IKEV2_DEF_LIFETIME 14400 //4 hours + +// +// IKE/IPSEC SA negotiation states +// +const TInt KStateIdle = 0; +const TInt KStateIkeInitPkiService = 1; +const TInt KStateIkeSaInitRequest = 2; +const TInt KStateIkeSaAuthRequest = 4; +const TInt KStateIkeWaitingId = 5; +const TInt KStateIkeSaEapStarted = 6; +const TInt KStateIkeSaEapGoing = 7; + +const TInt KStateIkeSaInitResponse = 11; +const TInt KStateIkeSaAuthWaitSpi = 12; +const TInt KStateIkeSaAuthResponse = 14; + + +const TInt KStateIkeSaCompleted = 20; + +const TInt KStateIkeChildSARequest = 21; +const TInt KStateIkeChildSAResponse = 22; + +const TInt KStateIkeSARekeyRequest = 23; +const TInt KStateIkeSARekeyResponse = 24; + +const TInt KStateIkeInfoRequest = 31; +const TInt KStateIkeInfoResponse = 32; +const TInt KStateIkeDeleteRequest = 33; +const TInt KStateIkeDeleteResponse = 34; +const TInt KStateChildDeleteRequest = 35; +const TInt KStateChildDeleteResponse = 36; + +class CIkev2PluginSession; +class CPFKeySocketIf; +class CIkev2Config; +class CIkeData; +class CIkev2Acquire; +class CIkev2Expire; +class MKmdEventLoggerIf; +class MIkeDebug; +class CIkeV2Message; +class CIkeV2Identity; +class CIkev2MessageSendQueue; + +/** + * CIkev2Negotiation + * + * @lib internal (ikev2lib.lib) + */ +NONSHARABLE_CLASS(CIkev2Negotiation) : public CBase, + public MIkeV2PkiServiceObserver, + public MIpsecSaSpiRetrieverCallback, + public MIkev2EapIfObserver, + public MIkev2RetransmitTimerCallback + { + friend class Ikev2MobIke; + +public: + + /** + * NewL + * + * @since S60 ?S60_version + * @param aControl Plugin control. Must be != NULL + * ownership not taken. + * @param aIkeData ?description + * @param aVpnIapId ?description + * @param aPhysicalInterfaceAddress IP address of the physical connection with scope. + * @param aRemote ?description + * @return self + */ + static CIkev2Negotiation* NewL(CIkev2PluginSession& aIkeV2PlugInSession, + CPFKeySocketIf& aPfKeySocketIf, + MKmdEventLoggerIf& aEventLogger, + CIkev2MessageSendQueue& aMessageSendQue, + MIkeDebug& aDebug, + CIkeData* aIkeData, + TUint32 aVpnIapId, + TUint32 aSAId, + TInetAddr aPhysicalInterfaceAddress, + TInetAddr aRemoteAddress); + + /** + * NewL + * + * @since S60 ?S60_version + * @param aControl Plugin control. Must be != NULL + * ownership not taken. + * @param aSAId ?description + * @return self + */ + static CIkev2Negotiation* NewL(CIkev2PluginSession& aIkeV2PlugInSession, + CPFKeySocketIf& aPfKeySocketIf, + MKmdEventLoggerIf& aEventLogger, + CIkev2MessageSendQueue& aMessageSendQue, + MIkeDebug& aDebug, + TIkev2SAData& aIkev2SAdata); + + ~CIkev2Negotiation(); + + void StartIkeSANegotiationL(); + TBool StartRespondingL(const ThdrISAKMP& aIkeMessage); + void StartIkeSADeleteL(); + void ProcessIkeMessageL(const ThdrISAKMP& aIkeMessage, const TInetAddr& aRemote, TUint16 aLocalPort); + void ProcessAcquireL(const TPfkeyMessage& aPfkeyMessage); + void ProcessExpireL(const TPfkeyMessage& aPfkeyMessage); + void StartIpsecSaRekeyingL(const TPfkeyMessage &aPfkeyMsg); + void BuildIkeSaRekeyMsgL(TBool aRequest); + + void SendKeepAliveMsgL(); + + TBool Stopped(); + + void CancelOperation(); + +// from base class MIkeV2PkiServiceObserver + void IkeV2PkiInitCompleteL(TInt aStatus); + +// from base class MIpsecSaSpiRetrieverCallback + void IpsecSaSpiRetrieved(TUint32 aSpiRequestId, + TInt aStatus, + TUint32 aSpi); + + +// from base class MIkev2EapIfObserver + void SendEapDataL(HBufC8* aEapData); + void EapEventL(TInt aEvent); + +// from base class MIkev2RetransmitTimerCallback + + /** + * From MIkev2RetransmitTimerCallback + * Request IKE request resend. + */ + void RetransmitRequest(); + +private: // implementation + CIkev2Negotiation(CIkev2PluginSession& aIkeV2PlugInSession, + CPFKeySocketIf& aPfKeySocketIf, + MKmdEventLoggerIf& aEventLogger, + CIkev2MessageSendQueue& aMessageSendQue, + MIkeDebug& aDebug, + TUint32 aSaId); + void ConstructL(); + + TBool ImplicitChildSa(); + HBufC8* PeekProposedSa(); + HBufC8* GetProposedSa(); + void SetProposedSa(HBufC8* aSaPl); + + CIkev2Acquire** GetAcquireQue(); + CIkev2Expire** GetExpireQue(); + TBool RequestsPending(); + void SetNotifyCode(TInt aMsgType); + TInt GetNotifyCode(); + void StoreNotifyData32(TUint32 aData); + void StoreNotifyData16(TUint16 aData); + TUint8* NotifyData(TInt& aDataLth); + TInetAddr GetLocalAddr() const; + + void IkeSaCompletedL(); + void IkeSaFailed(TInt aStatus = KKmdIkeNoResponseErr); + void IpsecSANegotiatedL(); + void CheckNotifyCodeL(CIkev2Payloads* IkeMsg); + void CreateIkeSPI(TIkeSPI& aSPI, TBool aRekey=EFalse); + void GetNatStatus(TBool aSupported, const TInetAddr& aRemote); + void GetIpsecSPI(CIkev2Acquire* aAcquire); + + void GetNonceDataL(TBool aInitiator); + void GetOwnIdentityL(TBool aEapIdResponse=EFalse); + + void LoadEapPluginL(); + TBool InitPkiServiceL(); + void StartIkeSaInitL(); + void SendIkeAuthMessageL(); + + void ContinueIkeNegotiationL(); + void BuildChildSAMessageL(CIkev2Acquire* aAcquire, TBool aInitiator); + void BuildDeleteRequestL(CIkev2Expire* aExpire); + + //Send the ike message. Claims the ownership of the message. + void SendIkeMsgL(CIkeV2Message* aMsg); + + TBool ProcessIkeSaInitL(CIkev2Payloads* aIkeMsg, const TInetAddr& aRemote); + TBool ProcessIkeAuthL(CIkev2Payloads* aIkeMsg); + TBool ProcessChildSaL(CIkev2Payloads* aIkeMsg); + TBool ProcessInfoMsgL(CIkev2Payloads* aIkeMsg); + TBool ProcessIkeSARekeyL(CIkev2Payloads* aIkeMsg); + TBool ProcessDeletePayloadsL(const CArrayFixFlat& aDeletes, TBool aRequest); + TBool ProcessNotifyPayloadsL(const CArrayFixFlat& aNotifys, TBool aRequest, TInt aExchange); + TBool ProcessCookieL(const CArrayFixFlat& aNotifys, TBool aRequest); + void ProcessInvalidKePayloadNotifyL(); + + void GenerateIkeKeysL(TIkev2SAData* aRekeydSaData=NULL); + + void SaveSignedDataL(TBool aLocal, const TDesC8& aIkeMsg); + void AddIdToSignedDataL(TBool aLocal, HBufC8* aSigned, const TDesC8& aIdData); + HBufC8* SignAuthDataL(const TDesC8& aAuthData, TUint8 aAuthMethod); + TBool AddIdAndAuthenticatePeerL(CIkev2Payloads* aIkeMsg); + TBool AuthenticatePeerL(TAuthPayloadIkev2* aAuth); + TBool VerifyPeerCertificateL(CArrayFixFlat* aCerts, TIDPayloadIkev2* aId ); + + TBool ProcessKeyExchangeL(TKEPayloadIkev2* aKePayload, TUint16 aGroup); + + void AppendKEPayloadL(CIkeV2Message& aIkeMsg, TUint16 aDHGroup); + + TPayloadIkev2* PadEncrPayload(HBufC8* aMsg, TPayloadIkev2* aEncrPl); + TUint16 TotalLength( TPayloadIkev2* aLoad, TPayloadIkev2* aLoad2 ); + TBool CheckPayloadsOrder(CIkev2Payloads* aIkeMsg, TUint8 aExchange, TBool aResponse); + TPayloadIkev2* BuildI2CertPayload(HBufC8* aMsg, TPayloadIkev2* aPrevPl); + TPayloadIkev2* BuildI1CertPayload(HBufC8* aMsg, TPayloadIkev2* aPrevPl); + + void IpsecSaSpiRetrievedL(TUint32 aSpiRequestId, TUint32 aSpi); + + /** + * Handles IKE datagram resend. + */ + void DoRetransmitL(TBool aResponse=EFalse); + +public: // Data + // + // Header Data (Common with IKEv2 SA) + // + TIkev2SAData iHdr; // Common negotiation info for IKE SA + TIkeV2IpsecSAData iChild; // Common negotiation info for IPSEC SA + CIkev2PluginSession& iIkeV2PlugInSession; // IKEv2 plugin engine + + + CIkev2Negotiation* iNext; // A link field to maintain negotiations. + +private: // Data + + CPFKeySocketIf& iPfKeySocketIf; + MKmdEventLoggerIf& iEventLogger; + CIkev2MessageSendQueue& iMessageSendQue; + MIkeDebug& iDebug; + + CIpsecSaSpiRetriever* iSpiRetriever; + + TInt iState; // Negotiation State + TUint32 iSAid_Rekey;// Rekeyed SAid + TIkeSPI iSPI_Rekey; // Local SPI for rekeyed IKE SA + TBool iStopped; // Negotiation failed indicator + TBool iDeleteIkeSA; // A notify message received from peer which requires IKE SA to be deleted + TBool iChildSARejected; // A notify message received which indicates that Child SA is not accepted + + TBool iDeactivateGoing; // Negotiation started due deactivate + TBool iCookieReturned; // Cookie returned to responder + TBool iPkiAuthRequired; // Private key signature is required as authentication + TBool iEapCompleted; // EAP authentication completed succesfully + TBool iPeerIdInSignedData; // Peer id has already been added to signed data + TBool iRekeyCollision; // Rekey collision occurred + TBool iProcessEvents; // Indicates whether the object is accepting events (not accepting when destructor called) + + CIkev2RetransmitTimer* iTimer; // Timer to retransmit IKE request message + CDHKeys* iDHKeys; // Diffie-Hellman calculation object + CIkev2NatT* iNatNotify; // Pointer to IKEv2 NAT Traversal object + CIkev2Config* iConfigMode; // Pointer to IKEv2 Config object + CIkev2EapIf* iEapPlugin; // Pointer to IKEv2 EAP interface object + CIkeV2PkiService* iPkiService; // Pointer to PKI service Interface object + HBufC8* iSavedSaInit; // Saved IKE_SA_INIT request (waiting PKI service init) + HBufC8* iProposedSA; // Proposed IKE/IPSEC SA payload content + HBufC8* iDHPublicPeer; // Diffie-Hellman Public value (peer) + HBufC8* iNonce_I; // Initiator Nonce + HBufC8* iNonce_R; // Responder Nonce + HBufC8* iAuthMsgInit; // Signed octet buffer (for initiator AUTH payload) + HBufC8* iAuthMsgResp; // Signed octet buffer (for responder AUTH payload) + HBufC8* iPresharedKey; // Configured preshared key- or EAP MSK data buffer + + CIkeV2Identity* iLocalIdentity; + CIkeV2Identity* iRemoteIdentity; + + CX509Certificate* iPeerCert; // Verified peer certificate + + TUint16 iSendAttempt; + TInt iNotifyCode; // Error status for Notification payload + TInt iNotifyDataLth; // Notify data length + TUint8 iNotifyData[4]; // Short notify data packed into network order + + CIkev2Acquire* iChildSaRequest;// On going Child SA request + CIkev2Acquire* iAcquireFirst; // Pending PFKEY Acquire request + CIkev2Expire* iExpireFirst; // Pending PFKEY Expire request + + TInt iDHGroupGuess; //Number of DH group guess retries for IKE_SA_INIT resquest + }; +#endif // _IKEV2NEGOTIATION_H_