ike.c
Go to the documentation of this file.
1 /**
2  * @file ike.c
3  * @brief IKEv2 (Internet Key Exchange Protocol)
4  *
5  * @section License
6  *
7  * SPDX-License-Identifier: GPL-2.0-or-later
8  *
9  * Copyright (C) 2022-2024 Oryx Embedded SARL. All rights reserved.
10  *
11  * This file is part of CycloneIPSEC Open.
12  *
13  * This program is free software; you can redistribute it and/or
14  * modify it under the terms of the GNU General Public License
15  * as published by the Free Software Foundation; either version 2
16  * of the License, or (at your option) any later version.
17  *
18  * This program is distributed in the hope that it will be useful,
19  * but WITHOUT ANY WARRANTY; without even the implied warranty of
20  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
21  * GNU General Public License for more details.
22  *
23  * You should have received a copy of the GNU General Public License
24  * along with this program; if not, write to the Free Software Foundation,
25  * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
26  *
27  * @author Oryx Embedded SARL (www.oryx-embedded.com)
28  * @version 2.4.0
29  **/
30 
31 //Switch to the appropriate trace level
32 #define TRACE_LEVEL IKE_TRACE_LEVEL
33 
34 //Dependencies
35 #include "ipsec/ipsec_misc.h"
36 #include "ike/ike.h"
37 #include "ike/ike_fsm.h"
38 #include "ike/ike_algorithms.h"
39 #include "ike/ike_certificate.h"
40 #include "ike/ike_message_parse.h"
41 #include "ike/ike_misc.h"
42 #include "ike/ike_debug.h"
43 #include "pkix/pem_import.h"
44 #include "pkix/x509_cert_parse.h"
45 #include "debug.h"
46 
47 //Check IKEv2 library configuration
48 #if (IKE_SUPPORT == ENABLED)
49 
50 
51 /**
52  * @brief Initialize settings with default values
53  * @param[out] settings Structure that contains IKE settings
54  **/
55 
56 void ikeGetDefaultSettings(IkeSettings *settings)
57 {
58  //Default task parameters
59  settings->task = OS_TASK_DEFAULT_PARAMS;
60  settings->task.stackSize = IKE_STACK_SIZE;
61  settings->task.priority = IKE_PRIORITY;
62 
63  //Underlying network interface
64  settings->interface = NULL;
65 
66  //Pseudo-random number generator
67  settings->prngAlgo = NULL;
68  settings->prngContext = NULL;
69 
70  //IKE SA entries
71  settings->saEntries = NULL;
72  settings->numSaEntries = 0;
73 
74  //Child SA entries
75  settings->childSaEntries = NULL;
76  settings->numChildSaEntries = 0;
77 
78  //Lifetime of IKE SAs
79  settings->saLifetime = IKE_DEFAULT_SA_LIFETIME;
80  //Lifetime of Child SAs
81  settings->childSaLifetime = IKE_DEFAULT_CHILD_SA_LIFETIME;
82  //Reauthentication period
83  settings->reauthPeriod = 0;
84 
85 #if (IKE_DPD_SUPPORT == ENABLED)
86  //Dead peer detection period
87  settings->dpdPeriod = 0;
88 #endif
89 #if (IKE_COOKIE_SUPPORT == ENABLED)
90  //Cookie generation callback function
91  settings->cookieGenerateCallback = NULL;
92  //Cookie verification callback function
93  settings->cookieVerifyCallback = NULL;
94 #endif
95 #if (IKE_CERT_AUTH_SUPPORT == ENABLED)
96  //Certificate verification callback function
97  settings->certVerifyCallback = NULL;
98 #endif
99 }
100 
101 
102 /**
103  * @brief IKE service initialization
104  * @param[in] context Pointer to the IKE context
105  * @param[in] settings IKE specific settings
106  * @return Error code
107  **/
108 
109 error_t ikeInit(IkeContext *context, const IkeSettings *settings)
110 {
111  error_t error;
112 
113  //Debug message
114  TRACE_INFO("Initializing IKE...\r\n");
115 
116  //Ensure the parameters are valid
117  if(context == NULL || settings == NULL)
118  return ERROR_INVALID_PARAMETER;
119 
120  if(settings->prngAlgo == NULL || settings->prngContext == NULL)
121  return ERROR_INVALID_PARAMETER;
122 
123  if(settings->saEntries == NULL || settings->numSaEntries == 0)
124  return ERROR_INVALID_PARAMETER;
125 
126  if(settings->childSaEntries == NULL || settings->numChildSaEntries == 0)
127  return ERROR_INVALID_PARAMETER;
128 
129  //Clear the IKE context
130  osMemset(context, 0, sizeof(IkeContext));
131 
132  //Initialize task parameters
133  context->taskParams = settings->task;
134  context->taskId = OS_INVALID_TASK_ID;
135 
136  //Underlying network interface
137  context->interface = settings->interface;
138 
139  //Pseudo-random number generator
140  context->prngAlgo = settings->prngAlgo;
141  context->prngContext = settings->prngContext;
142 
143  //IKE SA entries
144  context->sa = settings->saEntries;
145  context->numSaEntries = settings->numSaEntries;
146 
147  //Child SA entries
148  context->childSa = settings->childSaEntries;
149  context->numChildSaEntries = settings->numChildSaEntries;
150 
151  //Lifetime of IKE SAs
152  context->saLifetime = settings->saLifetime;
153  //Lifetime of Child SAs
154  context->childSaLifetime = settings->childSaLifetime;
155  //Reauthentication period
156  context->reauthPeriod = settings->reauthPeriod;
157 
158 #if (IKE_DPD_SUPPORT == ENABLED)
159  //Dead peer detection period
160  context->dpdPeriod = settings->dpdPeriod;
161 #endif
162 #if (IKE_COOKIE_SUPPORT == ENABLED)
163  //Cookie generation callback function
164  context->cookieGenerateCallback = settings->cookieGenerateCallback;
165  //Cookie verification callback function
166  context->cookieVerifyCallback = settings->cookieVerifyCallback;
167 #endif
168 #if (IKE_CERT_AUTH_SUPPORT == ENABLED)
169  //Certificate verification callback function
170  context->certVerifyCallback = settings->certVerifyCallback;
171 #endif
172 
173  //Save the preferred Diffie-Hellman group number
174  context->preferredDhGroupNum = ikeSelectDefaultDhGroup();
175 
176  //Attach IKE context
177  netContext.ikeContext = context;
178 
179  //Initialize status code
180  error = NO_ERROR;
181 
182  //Create an event object to poll the state of sockets
183  if(!osCreateEvent(&context->event))
184  {
185  //Failed to create event
186  error = ERROR_OUT_OF_RESOURCES;
187  }
188 
189  //Check status code
190  if(error)
191  {
192  //Clean up side effects
193  ikeDeinit(context);
194  }
195 
196  //Return status code
197  return error;
198 }
199 
200 
201 /**
202  * @brief Start IKE service
203  * @param[in] context Pointer to the IKE context
204  * @return Error code
205  **/
206 
207 error_t ikeStart(IkeContext *context)
208 {
209  error_t error;
210 
211  //Make sure the IKE context is valid
212  if(context == NULL)
213  return ERROR_INVALID_PARAMETER;
214 
215  //Debug message
216  TRACE_INFO("Starting IKE...\r\n");
217 
218  //Make sure the IKE service is not already running
219  if(context->running)
220  return ERROR_ALREADY_RUNNING;
221 
222  //Start of exception handling block
223  do
224  {
225  //Open a UDP socket
226  context->socket = socketOpen(SOCKET_TYPE_DGRAM, SOCKET_IP_PROTO_UDP);
227  //Failed to open socket?
228  if(context->socket == NULL)
229  {
230  //Report an error
231  error = ERROR_OPEN_FAILED;
232  break;
233  }
234 
235  //Associate the socket with the relevant interface
236  error = socketBindToInterface(context->socket,
237  context->interface);
238  //Unable to bind the socket to the desired interface?
239  if(error)
240  break;
241 
242  //IKE normally listens and sends on UDP port 500 (refer to RFC 7296,
243  //section 2);
244  error = socketBind(context->socket, &IP_ADDR_ANY, IKE_PORT);
245  //Unable to bind the socket to the desired port?
246  if(error)
247  break;
248 
249  //Start the IKE service
250  context->stop = FALSE;
251  context->running = TRUE;
252 
253  //Create a task
254  context->taskId = osCreateTask("IKE", (OsTaskCode) ikeTask, context,
255  &context->taskParams);
256 
257  //Failed to create task?
258  if(context->taskId == OS_INVALID_TASK_ID)
259  {
260  //Report an error
261  error = ERROR_OUT_OF_RESOURCES;
262  break;
263  }
264 
265  //End of exception handling block
266  } while(0);
267 
268  //Any error to report?
269  if(error)
270  {
271  //Clean up side effects
272  context->running = FALSE;
273 
274  //Close the UDP socket
275  socketClose(context->socket);
276  context->socket = NULL;
277  }
278 
279  //Return status code
280  return error;
281 }
282 
283 
284 /**
285  * @brief Stop IKE service
286  * @param[in] context Pointer to the IKE context
287  * @return Error code
288  **/
289 
290 error_t ikeStop(IkeContext *context)
291 {
292  //Make sure the IKE context is valid
293  if(context == NULL)
294  return ERROR_INVALID_PARAMETER;
295 
296  //Debug message
297  TRACE_INFO("Stopping IKE...\r\n");
298 
299  //Check whether the IKE service is running
300  if(context->running)
301  {
302  //Stop the IKE service
303  context->stop = TRUE;
304  //Send a signal to the task to abort any blocking operation
305  osSetEvent(&context->event);
306 
307  //Wait for the task to terminate
308  while(context->running)
309  {
310  osDelayTask(1);
311  }
312 
313  //Close the UDP socket
314  socketClose(context->socket);
315  context->socket = NULL;
316  }
317 
318  //Successful processing
319  return NO_ERROR;
320 }
321 
322 
323 /**
324  * @brief Specify the preferred Diffie-Hellman group
325  * @param[in] context Pointer to the IKE context
326  * @param[in] dhGroupNum Preferred Diffie-Hellman group number
327  * @return Error code
328  **/
329 
330 error_t ikeSetPreferredDhGroup(IkeContext *context, uint16_t dhGroupNum)
331 {
332  //Make sure the IKE context is valid
333  if(context == NULL)
334  return ERROR_INVALID_PARAMETER;
335 
336  //Ensure the specified group number is supported
337  if(!ikeIsDhGroupSupported(dhGroupNum))
338  return ERROR_INVALID_GROUP;
339 
340  //Save the preferred Diffie-Hellman group number
341  context->preferredDhGroupNum = dhGroupNum;
342 
343  //Successful processing
344  return NO_ERROR;
345 }
346 
347 
348 /**
349  * @brief Set entity's ID
350  * @param[in] context Pointer to the IKE context
351  * @param[in] idType ID type
352  * @param[in] id Pointer to the identification data
353  * @param[in] idLen Length of the identification data, in bytes
354  * @return Error code
355  **/
356 
357 error_t ikeSetId(IkeContext *context, IkeIdType idType, const void *id,
358  size_t idLen)
359 {
360  //Check parameters
361  if(context == NULL || id == NULL)
362  return ERROR_INVALID_PARAMETER;
363 
364  //Check the length of the identification data
365  if(idLen > IKE_MAX_ID_LEN)
366  return ERROR_INVALID_LENGTH;
367 
368  //Save identification data
369  context->idType = idType;
370  osMemcpy(context->id, id, idLen);
371  context->idLen = idLen;
372 
373  //Successful processing
374  return NO_ERROR;
375 }
376 
377 
378 /**
379  * @brief Set entity's pre-shared key
380  * @param[in] context Pointer to the IKE context
381  * @param[in] psk Pointer to the pre-shared key
382  * @param[in] pskLen Length of the pre-shared key, in bytes
383  * @return Error code
384  **/
385 
386 error_t ikeSetPsk(IkeContext *context, const uint8_t *psk, size_t pskLen)
387 {
388 #if (IKE_PSK_AUTH_SUPPORT == ENABLED)
389  //Check parameters
390  if(context == NULL || psk == NULL)
391  return ERROR_INVALID_PARAMETER;
392 
393  //Check the length of the pre-shared key
394  if(pskLen > IKE_MAX_PSK_LEN)
395  return ERROR_INVALID_LENGTH;
396 
397  //Save pre-shared key
398  osMemcpy(context->psk, psk, pskLen);
399  context->pskLen = pskLen;
400 
401  //Successful processing
402  return NO_ERROR;
403 #else
404  //Pre-shared key authentication is not supported
405  return ERROR_NOT_IMPLEMENTED;
406 #endif
407 }
408 
409 
410 /**
411  * @brief Load entity's certificate
412  * @param[in] context Pointer to the IKE context
413  * @param[in] certChain Certificate chain (PEM format). This parameter is
414  * taken as reference
415  * @param[in] certChainLen Length of the certificate chain
416  * @param[in] privateKey Private key (PEM format). This parameter is taken
417  * as reference
418  * @param[in] privateKeyLen Length of the private key
419  * @param[in] password NULL-terminated string containing the password. This
420  * parameter is required if the private key is encrypted
421  * @return Error code
422  **/
423 
424 error_t ikeSetCertificate(IkeContext *context, const char_t *certChain,
425  size_t certChainLen, const char_t *privateKey, size_t privateKeyLen,
426  const char_t *password)
427 {
428 #if (IKE_CERT_AUTH_SUPPORT == ENABLED)
429  error_t error;
430  uint8_t *derCert;
431  size_t derCertLen;
432  IkeCertType certType;
433  X509CertInfo *certInfo;
434 
435  //Check parameters
436  if(context == NULL || certChain == NULL || certChainLen == 0)
437  return ERROR_INVALID_PARAMETER;
438 
439  //The private key is optional
440  if(privateKey == NULL && privateKeyLen != 0)
441  return ERROR_INVALID_PARAMETER;
442 
443  //The password if required only for encrypted private keys
444  if(password != NULL && osStrlen(password) > IKE_MAX_PASSWORD_LEN)
445  return ERROR_INVALID_PASSWORD;
446 
447  //The first pass calculates the length of the DER-encoded certificate
448  error = pemImportCertificate(certChain, certChainLen, NULL, &derCertLen,
449  NULL);
450 
451  //Check status code
452  if(!error)
453  {
454  //Allocate a memory buffer to hold the DER-encoded certificate
455  derCert = ikeAllocMem(derCertLen);
456 
457  //Successful memory allocation?
458  if(derCert != NULL)
459  {
460  //The second pass decodes the PEM certificate
461  error = pemImportCertificate(certChain, certChainLen, derCert,
462  &derCertLen, NULL);
463 
464  //Check status code
465  if(!error)
466  {
467  //Allocate a memory buffer to store X.509 certificate info
468  certInfo = ikeAllocMem(sizeof(X509CertInfo));
469 
470  //Successful memory allocation?
471  if(certInfo != NULL)
472  {
473  //Parse X.509 certificate
474  error = x509ParseCertificateEx(derCert, derCertLen, certInfo,
475  TRUE);
476 
477  //Check status code
478  if(!error)
479  {
480  //Retrieve certificate type
481  error = ikeGetCertificateType(certInfo, &certType);
482  }
483 
484  //Release previously allocated memory
485  ikeFreeMem(certInfo);
486  }
487  else
488  {
489  //Failed to allocate memory
490  error = ERROR_OUT_OF_MEMORY;
491  }
492  }
493 
494  //Release previously allocated memory
495  ikeFreeMem(derCert);
496  }
497  else
498  {
499  //Failed to allocate memory
500  error = ERROR_OUT_OF_MEMORY;
501  }
502  }
503 
504  //Check status code
505  if(!error)
506  {
507  //Save the certificate chain and the corresponding private key
508  context->certType = certType;
509  context->certChain = certChain;
510  context->certChainLen = certChainLen;
511  context->privateKey = privateKey;
512  context->privateKeyLen = privateKeyLen;
513 
514  //The password if required only for encrypted private keys
515  if(password != NULL)
516  {
517  osStrcpy(context->password, password);
518  }
519  else
520  {
521  osStrcpy(context->password, "");
522  }
523  }
524 
525  //Return status code
526  return error;
527 #else
528  //Certificate authentication is not supported
529  return ERROR_NOT_IMPLEMENTED;
530 #endif
531 }
532 
533 
534 /**
535  * @brief Delete an IKE SA
536  * @param[in] sa Pointer to the IKE SA to delete
537  * @return Error code
538  **/
539 
540 error_t ikeDeleteSa(IkeSaEntry *sa)
541 {
542  IkeContext *context;
543 
544  //Make sure the IKE SA is valid
545  if(sa == NULL)
546  return ERROR_INVALID_PARAMETER;
547 
548  //Debug message
549  TRACE_INFO("Deleting IKE SA...\r\n");
550 
551  //Check the state of the IKE SA
552  if(sa->state != IKE_SA_STATE_CLOSED)
553  {
554  //Point to the IKE context
555  context = sa->context;
556 
557  //Request closure of the IKE SA
558  sa->deleteRequest = TRUE;
559  //Notify the IKE context that the IKE SA should be closed
560  osSetEvent(&context->event);
561  }
562 
563  //Successful processing
564  return NO_ERROR;
565 }
566 
567 
568 /**
569  * @brief Create a new Child SA
570  * @param[in] context Pointer to the IKE context
571  * @param[in] packet Triggering packet
572  * @return Error code
573  **/
574 
575 error_t ikeCreateChildSa(IkeContext *context, const IpsecPacketInfo *packet)
576 {
577  error_t error;
578  IpAddr remoteIpAddr;
579  IkeChildSaEntry *childSa;
580  IpsecContext *ipsecContext;
581  IpsecSpdEntry *spdEntry;
582  IpsecSelector selector;
583 
584  //Check parameters
585  if(context == NULL || packet == NULL)
586  return ERROR_INVALID_PARAMETER;
587 
588  //Debug message
589  TRACE_INFO("Creating Child SA...\r\n");
590 
591  //Point to the IPsec context
592  ipsecContext = netContext.ipsecContext;
593 
594  //The selectors are used to define the granularity of the SAs that are
595  //created in response to the triggering packet
596  selector.localIpAddr.start = packet->localIpAddr;
597  selector.localIpAddr.end = packet->localIpAddr;
598  selector.remoteIpAddr.start = packet->remoteIpAddr;
599  selector.remoteIpAddr.end = packet->remoteIpAddr;
600  selector.nextProtocol = packet->nextProtocol;
601  selector.localPort.start = packet->localPort;
602  selector.localPort.end = packet->localPort;
603 
604  //Set selector for the remote port
605  if(packet->nextProtocol == IPV4_PROTOCOL_ICMP)
606  {
607  selector.remotePort.start = IPSEC_PORT_START_OPAQUE;
608  selector.remotePort.end = IPSEC_PORT_END_OPAQUE;
609  }
610  else
611  {
612  selector.remotePort.start = packet->remotePort;
613  selector.remotePort.end = packet->remotePort;
614  }
615 
616  //Search the SPD for a matching entry
617  spdEntry = ipsecFindSpdEntry(ipsecContext, IPSEC_POLICY_ACTION_PROTECT,
618  &selector);
619 
620  //Every SPD should have a nominal, final entry that matches anything that is
621  //otherwise unmatched, and discards it (refer to RFC 4301, section 4.4.1)
622  if(spdEntry == NULL)
623  return ERROR_NOT_FOUND;
624 
625  //End-to-end security?
626  if(spdEntry->mode == IPSEC_MODE_TRANSPORT)
627  {
628  remoteIpAddr = packet->remoteIpAddr;
629  }
630  else
631  {
632  remoteIpAddr = spdEntry->remoteTunnelAddr;
633  }
634 
635  //For each selector in an SPD entry, the entry specifies how to derive the
636  //corresponding values for a new SAD entry from those in the SPD and the
637  //packet (refer to RFC 4301, section 4.4.1)
638  error = ipsecDeriveSelector(spdEntry, packet, &selector);
639  //Any error to report?
640  if(error)
641  return error;
642 
643  //Create a new Child SA
644  childSa = ikeCreateChildSaEntry(context);
645  //Failed to create Child SA?
646  if(childSa == NULL)
647  return ERROR_OUT_OF_RESOURCES;
648 
649  //Initialize Child SA
650  childSa->remoteIpAddr = remoteIpAddr;
651  childSa->mode = spdEntry->mode;
652  childSa->protocol = spdEntry->protocol;
653  childSa->initiator = TRUE;
654  childSa->packetInfo = *packet;
655  childSa->selector = selector;
656 
657  //Initialize outbound SAD entry
658  ipsecContext->sad[childSa->outboundSa].direction = IPSEC_DIR_OUTBOUND;
659  ipsecContext->sad[childSa->outboundSa].selector = selector;
660 
661  //Request the creation of the Child SA
662  ikeChangeChildSaState(childSa, IKE_CHILD_SA_STATE_INIT);
663  //Notify the IKE context that the Child SA should be created
664  osSetEvent(&context->event);
665 
666  //Successful processing
667  return NO_ERROR;
668 }
669 
670 
671 
672 
673 /**
674  * @brief Delete a Child SA
675  * @param[in] childSa Pointer to the Child SA to delete
676  * @return Error code
677  **/
678 
679 error_t ikeDeleteChildSa(IkeChildSaEntry *childSa)
680 {
681  IkeContext *context;
682 
683  //Make sure the Child SA is valid
684  if(childSa == NULL)
685  return ERROR_INVALID_PARAMETER;
686 
687  //Debug message
688  TRACE_INFO("Deleting Child SA...\r\n");
689 
690  //Check the state of the Child SA
691  if(childSa->state != IKE_CHILD_SA_STATE_CLOSED)
692  {
693  //Point to the IKE context
694  context = childSa->context;
695 
696  //Request closure of the Child SA
697  childSa->deleteRequest = TRUE;
698  //Notify the IKE context that the Child SA should be closed
699  osSetEvent(&context->event);
700  }
701 
702  //Successful processing
703  return NO_ERROR;
704 }
705 
706 
707 /**
708  * @brief IKE task
709  * @param[in] context Pointer to the IKE context
710  **/
711 
712 void ikeTask(IkeContext *context)
713 {
714  error_t error;
715  SocketEventDesc eventDesc;
716 
717 #if (NET_RTOS_SUPPORT == ENABLED)
718  //Task prologue
719  osEnterTask();
720 
721  //Main loop
722  while(1)
723  {
724 #endif
725  //Specify the events the application is interested in
726  eventDesc.socket = context->socket;
727  eventDesc.eventMask = SOCKET_EVENT_RX_READY;
728  eventDesc.eventFlags = 0;
729 
730  //Wait for an event
731  socketPoll(&eventDesc, 1, &context->event, IKE_TICK_INTERVAL);
732 
733  //Stop request?
734  if(context->stop)
735  {
736  //Stop SNMP agent operation
737  context->running = FALSE;
738  //Task epilogue
739  osExitTask();
740  //Kill ourselves
741  osDeleteTask(OS_SELF_TASK_ID);
742  }
743 
744  //Any datagram received?
745  if(eventDesc.eventFlags != 0)
746  {
747  //An implementation must accept incoming requests even if the source
748  //port is not 500 or 4500 (refer to RFC 7296, section 2.11)
749  error = socketReceiveEx(context->socket, &context->remoteIpAddr,
750  &context->remotePort, &context->localIpAddr, context->message,
751  IKE_MAX_MSG_SIZE, &context->messageLen, 0);
752 
753  //Check status code
754  if(!error)
755  {
756  //Process the received IKE message
757  ikeProcessMessage(context, context->message, context->messageLen);
758  }
759  }
760 
761  //Handle IKE events
762  ikeProcessEvents(context);
763 
764 #if (NET_RTOS_SUPPORT == ENABLED)
765  }
766 #endif
767 }
768 
769 
770 /**
771  * @brief Release IKE context
772  * @param[in] context Pointer to the IKE context
773  **/
774 
775 void ikeDeinit(IkeContext *context)
776 {
777  //Make sure the IKE context is valid
778  if(context != NULL)
779  {
780  //Detach IKE context
781  netContext.ikeContext = NULL;
782 
783  //Free previously allocated resources
784  osDeleteEvent(&context->event);
785 
786  //Clear IKE context
787  osMemset(context, 0, sizeof(IkeContext));
788  }
789 }
790 
791 #endif
char_t
char char_t
Definition: compiler_port.h:48
debug.h
Debugging facilities.
TRACE_INFO
#define TRACE_INFO(...)
Definition: debug.h:95
error_t
error_t
Error codes.
Definition: error.h:43
ERROR_INVALID_PASSWORD
@ ERROR_INVALID_PASSWORD
Definition: error.h:279
ERROR_ALREADY_RUNNING
@ ERROR_ALREADY_RUNNING
Definition: error.h:292
ERROR_NOT_FOUND
@ ERROR_NOT_FOUND
Definition: error.h:147
ERROR_OUT_OF_RESOURCES
@ ERROR_OUT_OF_RESOURCES
Definition: error.h:64
ERROR_INVALID_GROUP
@ ERROR_INVALID_GROUP
Definition: error.h:274
ERROR_NOT_IMPLEMENTED
@ ERROR_NOT_IMPLEMENTED
Definition: error.h:66
ERROR_OPEN_FAILED
@ ERROR_OPEN_FAILED
Definition: error.h:75
NO_ERROR
@ NO_ERROR
Success.
Definition: error.h:44
ERROR_OUT_OF_MEMORY
@ ERROR_OUT_OF_MEMORY
Definition: error.h:63
ERROR_INVALID_LENGTH
@ ERROR_INVALID_LENGTH
Definition: error.h:111
ERROR_INVALID_PARAMETER
@ ERROR_INVALID_PARAMETER
Invalid parameter.
Definition: error.h:47
ikeGetDefaultSettings
void ikeGetDefaultSettings(IkeSettings *settings)
Initialize settings with default values.
Definition: ike.c:56
ikeDeleteSa
error_t ikeDeleteSa(IkeSaEntry *sa)
Delete an IKE SA.
Definition: ike.c:540
ikeSetId
error_t ikeSetId(IkeContext *context, IkeIdType idType, const void *id, size_t idLen)
Set entity's ID.
Definition: ike.c:357
ikeCreateChildSa
error_t ikeCreateChildSa(IkeContext *context, const IpsecPacketInfo *packet)
Create a new Child SA.
Definition: ike.c:575
ikeStop
error_t ikeStop(IkeContext *context)
Stop IKE service.
Definition: ike.c:290
ikeSetCertificate
error_t ikeSetCertificate(IkeContext *context, const char_t *certChain, size_t certChainLen, const char_t *privateKey, size_t privateKeyLen, const char_t *password)
Load entity's certificate.
Definition: ike.c:424
ikeSetPsk
error_t ikeSetPsk(IkeContext *context, const uint8_t *psk, size_t pskLen)
Set entity's pre-shared key.
Definition: ike.c:386
ikeTask
void ikeTask(IkeContext *context)
IKE task.
Definition: ike.c:712
ikeSetPreferredDhGroup
error_t ikeSetPreferredDhGroup(IkeContext *context, uint16_t dhGroupNum)
Specify the preferred Diffie-Hellman group.
Definition: ike.c:330
ikeDeleteChildSa
error_t ikeDeleteChildSa(IkeChildSaEntry *childSa)
Delete a Child SA.
Definition: ike.c:679
ikeInit
error_t ikeInit(IkeContext *context, const IkeSettings *settings)
IKE service initialization.
Definition: ike.c:109
ikeDeinit
void ikeDeinit(IkeContext *context)
Release IKE context.
Definition: ike.c:775
ikeStart
error_t ikeStart(IkeContext *context)
Start IKE service.
Definition: ike.c:207
ike.h
IKEv2 (Internet Key Exchange Protocol)
IKE_CHILD_SA_STATE_CLOSED
@ IKE_CHILD_SA_STATE_CLOSED
Definition: ike.h:1194
IKE_CHILD_SA_STATE_INIT
@ IKE_CHILD_SA_STATE_INIT
Definition: ike.h:1196
IKE_MAX_MSG_SIZE
#define IKE_MAX_MSG_SIZE
Definition: ike.h:166
IkeChildSaEntry
#define IkeChildSaEntry
Definition: ike.h:686
dhGroupNum
uint16_t dhGroupNum
Definition: ike.h:1350
IKE_MAX_ID_LEN
#define IKE_MAX_ID_LEN
Definition: ike.h:208
IkeContext
#define IkeContext
Definition: ike.h:678
ikeFreeMem
#define ikeFreeMem(p)
Definition: ike.h:633
IKE_DEFAULT_CHILD_SA_LIFETIME
#define IKE_DEFAULT_CHILD_SA_LIFETIME
Definition: ike.h:75
idType
uint8_t idType
Definition: ike.h:1363
IkeCertType
IkeCertType
Certificate types.
Definition: ike.h:1222
IKE_PORT
#define IKE_PORT
Definition: ike.h:667
IKE_PRIORITY
#define IKE_PRIORITY
Definition: ike.h:56
IKE_SA_STATE_CLOSED
@ IKE_SA_STATE_CLOSED
Definition: ike.h:1164
IKE_STACK_SIZE
#define IKE_STACK_SIZE
Definition: ike.h:49
IkeSaEntry
#define IkeSaEntry
Definition: ike.h:682
IkeIdType
IkeIdType
ID types.
Definition: ike.h:944
IKE_MAX_PASSWORD_LEN
#define IKE_MAX_PASSWORD_LEN
Definition: ike.h:222
ikeAllocMem
#define ikeAllocMem(size)
Definition: ike.h:628
IKE_TICK_INTERVAL
#define IKE_TICK_INTERVAL
Definition: ike.h:61
IKE_MAX_PSK_LEN
#define IKE_MAX_PSK_LEN
Definition: ike.h:215
IKE_DEFAULT_SA_LIFETIME
#define IKE_DEFAULT_SA_LIFETIME
Definition: ike.h:68
ikeSelectDefaultDhGroup
uint16_t ikeSelectDefaultDhGroup(void)
Get the default Diffie-Hellman group number.
Definition: ike_algorithms.c:2325
ikeIsDhGroupSupported
bool_t ikeIsDhGroupSupported(uint16_t groupNum)
Check whether a given Diffie-Hellman group is supported.
Definition: ike_algorithms.c:2337
ike_algorithms.h
IKEv2 algorithm negotiation.
ikeGetCertificateType
error_t ikeGetCertificateType(const X509CertInfo *certInfo, IkeCertType *certType)
Retrieve the certificate type.
Definition: ike_certificate.c:56
ike_certificate.h
X.509 certificate handling.
ike_debug.h
Data logging functions for debugging purpose (IKEv2)
ikeProcessEvents
void ikeProcessEvents(IkeContext *context)
IKE event processing.
Definition: ike_fsm.c:129
ikeChangeChildSaState
void ikeChangeChildSaState(IkeChildSaEntry *childSa, IkeChildSaState newState)
Update Child SA state.
Definition: ike_fsm.c:108
ike_fsm.h
IKEv2 finite state machine.
ikeProcessMessage
error_t ikeProcessMessage(IkeContext *context, uint8_t *message, size_t length)
Process incoming IKE message.
Definition: ike_message_parse.c:66
ike_message_parse.h
IKE message parsing.
ikeCreateChildSaEntry
IkeChildSaEntry * ikeCreateChildSaEntry(IkeContext *context)
Create a new Child Security Association.
Definition: ike_misc.c:396
ike_misc.h
Helper functions for IKEv2.
IP_ADDR_ANY
const IpAddr IP_ADDR_ANY
Definition: ip.c:51
IPSEC_PORT_START_OPAQUE
#define IPSEC_PORT_START_OPAQUE
Definition: ipsec.h:148
IPSEC_POLICY_ACTION_PROTECT
@ IPSEC_POLICY_ACTION_PROTECT
Definition: ipsec.h:233
IPSEC_MODE_TRANSPORT
@ IPSEC_MODE_TRANSPORT
Definition: ipsec.h:205
IPSEC_PORT_END_OPAQUE
#define IPSEC_PORT_END_OPAQUE
Definition: ipsec.h:149
IPSEC_DIR_OUTBOUND
@ IPSEC_DIR_OUTBOUND
Definition: ipsec.h:168
ipsecDeriveSelector
error_t ipsecDeriveSelector(const IpsecSpdEntry *spdEntry, const IpsecPacketInfo *packet, IpsecSelector *selector)
Derive SAD selector from SPD entry and triggering packet.
Definition: ipsec_misc.c:802
ipsecFindSpdEntry
IpsecSpdEntry * ipsecFindSpdEntry(IpsecContext *context, IpsecPolicyAction policyAction, const IpsecSelector *selector)
Search the SPD database for a matching entry.
Definition: ipsec_misc.c:51
ipsec_misc.h
Helper routines for IPsec.
IPV4_PROTOCOL_ICMP
@ IPV4_PROTOCOL_ICMP
Definition: ipv4.h:220
netContext
NetContext netContext
Definition: net.c:75
socketBindToInterface
#define socketBindToInterface
Definition: net_legacy.h:193
osMemset
#define osMemset(p, value, length)
Definition: os_port.h:135
osMemcpy
#define osMemcpy(dest, src, length)
Definition: os_port.h:141
osStrlen
#define osStrlen(s)
Definition: os_port.h:165
TRUE
#define TRUE
Definition: os_port.h:50
FALSE
#define FALSE
Definition: os_port.h:46
osStrcpy
#define osStrcpy(s1, s2)
Definition: os_port.h:207
osDeleteEvent
void osDeleteEvent(OsEvent *event)
Delete an event object.
Definition: os_port_chibios.c:191
OS_TASK_DEFAULT_PARAMS
const OsTaskParameters OS_TASK_DEFAULT_PARAMS
Definition: os_port_chibios.c:41
osDelayTask
void osDelayTask(systime_t delay)
Delay routine.
Definition: os_port_chibios.c:129
osCreateTask
OsTaskId osCreateTask(const char_t *name, OsTaskCode taskCode, void *arg, const OsTaskParameters *params)
Create a task.
Definition: os_port_chibios.c:80
osDeleteTask
void osDeleteTask(OsTaskId taskId)
Delete a task.
Definition: os_port_chibios.c:110
osCreateEvent
bool_t osCreateEvent(OsEvent *event)
Create an event object.
Definition: os_port_chibios.c:176
osSetEvent
void osSetEvent(OsEvent *event)
Set the specified event object to the signaled state.
Definition: os_port_chibios.c:202
OsTaskCode
void(* OsTaskCode)(void *arg)
Task routine.
Definition: os_port_chibios.h:148
osEnterTask
#define osEnterTask()
Definition: os_port_chibios.h:66
OS_SELF_TASK_ID
#define OS_SELF_TASK_ID
Definition: os_port_chibios.h:38
OS_INVALID_TASK_ID
#define OS_INVALID_TASK_ID
Definition: os_port_chibios.h:36
osExitTask
#define osExitTask()
Definition: os_port_chibios.h:68
pemImportCertificate
error_t pemImportCertificate(const char_t *input, size_t inputLen, uint8_t *output, size_t *outputLen, size_t *consumed)
Decode a PEM file containing a certificate.
Definition: pem_import.c:61
pem_import.h
PEM file import functions.
socketBind
error_t socketBind(Socket *socket, const IpAddr *localIpAddr, uint16_t localPort)
Associate a local address with a socket.
Definition: socket.c:778
socketPoll
error_t socketPoll(SocketEventDesc *eventDesc, uint_t size, OsEvent *extEvent, systime_t timeout)
Wait for one of a set of sockets to become ready to perform I/O.
Definition: socket.c:1592
socketReceiveEx
error_t socketReceiveEx(Socket *socket, IpAddr *srcIpAddr, uint16_t *srcPort, IpAddr *destIpAddr, void *data, size_t size, size_t *received, uint_t flags)
Receive a datagram.
Definition: socket.c:1196
socketOpen
Socket * socketOpen(uint_t type, uint_t protocol)
Create a socket (UDP or TCP)
Definition: socket.c:125
socketClose
void socketClose(Socket *socket)
Close an existing socket.
Definition: socket.c:1517
SOCKET_IP_PROTO_UDP
@ SOCKET_IP_PROTO_UDP
Definition: socket.h:101
SOCKET_TYPE_DGRAM
@ SOCKET_TYPE_DGRAM
Definition: socket.h:86
SOCKET_EVENT_RX_READY
@ SOCKET_EVENT_RX_READY
Definition: socket.h:169
IkeSettings
IKE settings.
Definition: ike.h:1784
IkeSettings::task
OsTaskParameters task
Task parameters.
Definition: ike.h:1785
IkeSettings::saEntries
IkeSaEntry * saEntries
IKE SA entries.
Definition: ike.h:1789
IkeSettings::childSaLifetime
systime_t childSaLifetime
Lifetime of Child SAs.
Definition: ike.h:1794
IkeSettings::saLifetime
systime_t saLifetime
Lifetime of IKE SAs.
Definition: ike.h:1793
IkeSettings::prngAlgo
const PrngAlgo * prngAlgo
Pseudo-random number generator to be used.
Definition: ike.h:1787
IkeSettings::cookieVerifyCallback
IkeCookieVerifyCallback cookieVerifyCallback
Cookie verification callback function.
Definition: ike.h:1801
IkeSettings::numSaEntries
uint_t numSaEntries
Number of IKE SA entries.
Definition: ike.h:1790
IkeSettings::dpdPeriod
systime_t dpdPeriod
Dead peer detection period.
Definition: ike.h:1797
IkeSettings::reauthPeriod
systime_t reauthPeriod
Reauthentication period.
Definition: ike.h:1795
IkeSettings::numChildSaEntries
uint_t numChildSaEntries
Number of Child SA entries.
Definition: ike.h:1792
IkeSettings::certVerifyCallback
IkeCertVerifyCallback certVerifyCallback
Certificate verification callback function.
Definition: ike.h:1804
IkeSettings::childSaEntries
IkeChildSaEntry * childSaEntries
Child SA entries.
Definition: ike.h:1791
IkeSettings::interface
NetInterface * interface
Underlying network interface.
Definition: ike.h:1786
IkeSettings::prngContext
void * prngContext
Pseudo-random number generator context.
Definition: ike.h:1788
IkeSettings::cookieGenerateCallback
IkeCookieGenerateCallback cookieGenerateCallback
Cookie generation callback function.
Definition: ike.h:1800
IpAddr
IP network address.
Definition: ip.h:79
IpsecAddrRange::start
IpAddr start
Definition: ipsec.h:281
IpsecAddrRange::end
IpAddr end
Definition: ipsec.h:282
IpsecContext
IPsec context.
Definition: ipsec.h:434
IpsecContext::sad
IpsecSadEntry * sad
Security Association Database (SAD)
Definition: ipsec.h:439
IpsecPacketInfo
IP packet information.
Definition: ipsec.h:316
IpsecPacketInfo::remoteIpAddr
IpAddr remoteIpAddr
Remote IP address.
Definition: ipsec.h:318
IpsecPacketInfo::localIpAddr
IpAddr localIpAddr
Local IP address.
Definition: ipsec.h:317
IpsecPacketInfo::remotePort
uint16_t remotePort
Remote port.
Definition: ipsec.h:321
IpsecPacketInfo::nextProtocol
uint8_t nextProtocol
Next layer protocol.
Definition: ipsec.h:319
IpsecPacketInfo::localPort
uint16_t localPort
Local port.
Definition: ipsec.h:320
IpsecPortRange::start
uint16_t start
Definition: ipsec.h:292
IpsecPortRange::end
uint16_t end
Definition: ipsec.h:293
IpsecSelector
IPsec selector.
Definition: ipsec.h:302
IpsecSelector::localPort
IpsecPortRange localPort
Local port range.
Definition: ipsec.h:306
IpsecSelector::localIpAddr
IpsecAddrRange localIpAddr
Local IP address range.
Definition: ipsec.h:303
IpsecSelector::remoteIpAddr
IpsecAddrRange remoteIpAddr
Remote IP address range.
Definition: ipsec.h:304
IpsecSelector::nextProtocol
uint8_t nextProtocol
Next layer protocol.
Definition: ipsec.h:305
IpsecSelector::remotePort
IpsecPortRange remotePort
Remote port range.
Definition: ipsec.h:307
IpsecSpdEntry
Security Policy Database (SPD) entry.
Definition: ipsec.h:344
IpsecSpdEntry::remoteTunnelAddr
IpAddr remoteTunnelAddr
Remote tunnel IP address.
Definition: ipsec.h:352
IpsecSpdEntry::mode
IpsecMode mode
IPsec mode (tunnel or transport)
Definition: ipsec.h:348
IpsecSpdEntry::protocol
IpsecProtocol protocol
Security protocol (AH or ESP)
Definition: ipsec.h:349
NetContext::ipsecContext
void * ipsecContext
IPsec context.
Definition: net.h:329
NetContext::ikeContext
void * ikeContext
IKE context.
Definition: net.h:330
SocketEventDesc
Structure describing socket events.
Definition: socket.h:398
SocketEventDesc::eventMask
uint_t eventMask
Requested events.
Definition: socket.h:400
SocketEventDesc::socket
Socket * socket
Handle to a socket to monitor.
Definition: socket.h:399
SocketEventDesc::eventFlags
uint_t eventFlags
Returned events.
Definition: socket.h:401
X509CertInfo
X.509 certificate.
Definition: x509_common.h:1064
x509ParseCertificateEx
error_t x509ParseCertificateEx(const uint8_t *data, size_t length, X509CertInfo *certInfo, bool_t ignoreUnknown)
Parse a X.509 certificate.
Definition: x509_cert_parse.c:73
x509_cert_parse.h
X.509 certificate parsing.