ike_message_parse.c

Go to the documentation of this file.

/**
 * @file ike_message_parse.c
 * @brief IKE message parsing
 *
 * @section License
 *
 * SPDX-License-Identifier: GPL-2.0-or-later
 *
 * Copyright (C) 2022-2024 Oryx Embedded SARL. All rights reserved.
 *
 * This file is part of CycloneIPSEC Open.
 *
 * This program is free software; you can redistribute it and/or
 * modify it under the terms of the GNU General Public License
 * as published by the Free Software Foundation; either version 2
 * of the License, or (at your option) any later version.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with this program; if not, write to the Free Software Foundation,
 * Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
 *
 * @author Oryx Embedded SARL (www.oryx-embedded.com)
 * @version 2.4.0
 **/
 
//Switch to the appropriate trace level
#define TRACE_LEVEL IKE_TRACE_LEVEL
 
//Dependencies
#include "ipsec/ipsec_misc.h"
#include "ike/ike.h"
#include "ike/ike_fsm.h"
#include "ike/ike_algorithms.h"
#include "ike/ike_message_format.h"
#include "ike/ike_message_parse.h"
#include "ike/ike_message_decrypt.h"
#include "ike/ike_payload_parse.h"
#include "ike/ike_auth.h"
#include "ike/ike_certificate.h"
#include "ike/ike_key_exchange.h"
#include "ike/ike_key_material.h"
#include "ike/ike_dh_groups.h"
#include "ike/ike_misc.h"
#include "ike/ike_debug.h"
#include "ah/ah_algorithms.h"
#include "esp/esp_algorithms.h"
#include "debug.h"
 
//Check IKEv2 library configuration
#if (IKE_SUPPORT == ENABLED)
 
 
/**
 * @brief Process incoming IKE message
 * @param[in] context Pointer to the IKE context
 * @param[in] message Pointer to the received IKE message
 * @param[in] length Length of the IKE message, in bytes
 * @return Error code
 **/
 
error_t ikeProcessMessage(IkeContext *context, uint8_t *message, size_t length)
{
   error_t error;
   IkeHeader *ikeHeader;
 
   //Malformed IKE message?
   if(length < sizeof(IkeHeader))
      return ERROR_INVALID_LENGTH;
 
   //Each message begins with the IKE header
   ikeHeader = (IkeHeader *) message;
 
   //Debug message
   TRACE_INFO("IKE message received (%" PRIuSIZE " bytes)...\r\n", length);
   //Dump IKE message for debugging purpose
   ikeDumpMessage(message, length);
 
   //Check the length of the IKE message
   if(length < ntohl(ikeHeader->length))
      return ERROR_INVALID_LENGTH;
 
   //The Length field indicates the total length of the IKE message in octets
   length = ntohl(ikeHeader->length);
 
   //The R bit indicates whether the message is a request or response
   if((ikeHeader->flags & IKE_FLAGS_R) == 0)
   {
      //Process incoming IKE request
      error = ikeProcessRequest(context, message, length);
   }
   else
   {
      //Process incoming IKE response
      error = ikeProcessResponse(context, message, length);
   }
 
   //Return status code
   return error;
}
 
 
/**
 * @brief Process incoming IKE request
 * @param[in] context Pointer to the IKE context
 * @param[in] message Pointer to the received IKE message
 * @param[in] length Length of the IKE message, in bytes
 * @return Error code
 **/
 
error_t ikeProcessRequest(IkeContext *context, uint8_t *message, size_t length)
{
   error_t error;
   uint8_t exchangeType;
   IkeHeader *ikeHeader;
   IkeSaEntry *sa;
 
   //Each message begins with the IKE header
   ikeHeader = (IkeHeader *) message;
   //The Exchange Type field indicates the type of exchange being used
   exchangeType = ikeHeader->exchangeType;
 
   //Check the major version number
   if(ikeHeader->majorVersion <= IKE_MAJOR_VERSION)
   {
      //Initial exchange?
      if(exchangeType == IKE_EXCHANGE_TYPE_IKE_SA_INIT)
      {
         //Process IKE_SA_INIT request
         error = ikeProcessIkeSaInitRequest(context, message, length);
      }
      else
      {
         //Perform IKE SA lookup
         sa = ikeFindSaEntry(context, ikeHeader);
 
         //Check whether the receiving node has an active IKE SA
         if(sa != NULL)
         {
            //All messages following the initial exchange are cryptographically
            //protected using the cryptographic algorithms and keys negotiated
            //in the IKE_SA_INIT exchange (refer to RFC 7296, section 1.2)
            error = ikeDecryptMessage(sa, message, &length);
 
            //Check status code
            if(!error)
            {
               //The responder must remember each response until it receives a
               //request whose sequence number is larger than or equal to the
               //sequence number in the response plus its window size
               if(ntohl(ikeHeader->messageId) < sa->rxMessageId &&
                  sa->rxMessageId != UINT32_MAX)
               {
                  //If the responder receives a retransmitted request for which
                  //it has already forgotten the response, it must ignore the
                  //request
               }
               else if(ntohl(ikeHeader->messageId) == sa->rxMessageId &&
                  sa->rxMessageId != UINT32_MAX)
               {
                  //The responder has received a retransmission of the request
                  error = ikeRetransmitResponse(sa);
               }
               else if(ntohl(ikeHeader->messageId) == (sa->rxMessageId + 1))
               {
                  //The counter increments as requests are received
                  sa->rxMessageId++;
 
                  //In the unlikely event that Message IDs grow too large to fit
                  //in 32 bits, the IKE SA must be closed or rekeyed (refer to
                  //RFC 7296, section 2.2)
                  if(sa->rxMessageId == UINT32_MAX)
                  {
                     //Delete the IKE SA
                     ikeDeleteSaEntry(sa);
                  }
                  else
                  {
                     //Forget the previous response
                     sa->responseLen = 0;
                     //Clear error notification
                     sa->notifyMsgType = IKE_NOTIFY_MSG_TYPE_NONE;
 
                     //Check IKE exchange type
                     if(exchangeType == IKE_EXCHANGE_TYPE_IKE_AUTH)
                     {
                        //Process IKE_AUTH request
                        error = ikeProcessIkeAuthRequest(sa, message, length);
                     }
                     else if(exchangeType == IKE_EXCHANGE_TYPE_CREATE_CHILD_SA)
                     {
                        //Process CREATE_CHILD_SA request
                        error = ikeProcessCreateChildSaRequest(sa, message,
                           length);
                     }
                     else if(exchangeType == IKE_EXCHANGE_TYPE_INFORMATIONAL)
                     {
                        //Process INFORMATIONAL request
                        error = ikeProcessInformationalRequest(sa, message,
                           length);
                     }
                     else
                     {
                        //Unknown exchange type
                        error = ERROR_UNKNOWN_TYPE;
                     }
 
                     //Only authentication failures (AUTHENTICATION_FAILED) and
                     //malformed messages (INVALID_SYNTAX) lead to a deletion of
                     //the IKE SA without requiring an explicit INFORMATIONAL
                     //exchange carrying a Delete payload
                     if(sa->notifyMsgType == IKE_NOTIFY_MSG_TYPE_AUTH_FAILED ||
                        sa->notifyMsgType == IKE_NOTIFY_MSG_TYPE_INVALID_SYNTAX)
                     {
                        //This error notification is considered fatal in both peers
                        ikeDeleteSaEntry(sa);
                     }
                  }
               }
               else
               {
                  //Discard the request since the message ID is outside the
                  //supported window
               }
            }
         }
         else
         {
            //If a node receives a message on UDP port 500 or 4500 outside the
            //context of an IKE SA known to it (and the message is not a request
            //to start an IKE SA), this may be the result of a recent crash of
            //the node. If the message is marked as a request, the node can audit
            //the suspicious event and may send a response
            error = ikeSendErrorResponse(context, message, length);
         }
      }
   }
   else
   {
      //If an IKE request packet arrives with a higher major version number
      //than the implementation supports, the node notifies the sender about
      //this situation (refer to RFC 7296, section 1.5)
      error = ikeSendErrorResponse(context, message, length);
   }
 
   //Return status code
   return error;
}
 
 
/**
 * @brief Process incoming IKE response
 * @param[in] context Pointer to the IKE context
 * @param[in] message Pointer to the received IKE message
 * @param[in] length Length of the IKE message, in bytes
 * @return Error code
 **/
 
error_t ikeProcessResponse(IkeContext *context, uint8_t *message, size_t length)
{
   error_t error;
   uint8_t exchangeType;
   IkeHeader *ikeHeader;
   IkeSaEntry *sa;
 
   //Initialize status code
   error = NO_ERROR;
 
   //Each message begins with the IKE header
   ikeHeader = (IkeHeader *) message;
   //The Exchange Type field indicates the type of exchange being used
   exchangeType = ikeHeader->exchangeType;
 
   //Check the major version number
   if(ikeHeader->majorVersion <= IKE_MAJOR_VERSION)
   {
      //Perform IKE SA lookup
      sa = ikeFindSaEntry(context, ikeHeader);
 
      //Check whether the receiving node has an active IKE SA
      if(sa != NULL)
      {
         //Check the state of the IKE SA
         if(sa->state == IKE_SA_STATE_INIT_RESP ||
            sa->state == IKE_SA_STATE_AUTH_RESP ||
            sa->state == IKE_SA_STATE_DPD_RESP ||
            sa->state == IKE_SA_STATE_REKEY_RESP ||
            sa->state == IKE_SA_STATE_DELETE_RESP ||
            sa->state == IKE_SA_STATE_CREATE_CHILD_RESP ||
            sa->state == IKE_SA_STATE_REKEY_CHILD_RESP ||
            sa->state == IKE_SA_STATE_DELETE_CHILD_RESP ||
            sa->state == IKE_SA_STATE_AUTH_FAILURE_RESP)
         {
            //The Message ID field is used to match requests and responses
            if(ntohl(ikeHeader->messageId) == sa->txMessageId)
            {
               //All messages following the initial exchange are cryptographically
               //protected using the cryptographic algorithms and keys negotiated
               //in the IKE_SA_INIT exchange (refer to RFC 7296, section 1.2)
               if(exchangeType != IKE_EXCHANGE_TYPE_IKE_SA_INIT)
               {
                  //Decrypt IKE message
                  error = ikeDecryptMessage(sa, message, &length);
               }
 
               //Check status code
               if(!error)
               {
                  //Check IKE exchange type
                  if(exchangeType == IKE_EXCHANGE_TYPE_IKE_SA_INIT)
                  {
                     //Process IKE_SA_INIT response
                     error = ikeProcessIkeSaInitResponse(sa, message, length);
                  }
                  else if(exchangeType == IKE_EXCHANGE_TYPE_IKE_AUTH)
                  {
                     //Process IKE_AUTH response
                     error = ikeProcessIkeAuthResponse(sa, message, length);
                  }
                  else if(exchangeType == IKE_EXCHANGE_TYPE_CREATE_CHILD_SA)
                  {
                     //Process CREATE_CHILD_SA response
                     error = ikeProcessCreateChildSaResponse(sa, message, length);
                  }
                  else if(exchangeType == IKE_EXCHANGE_TYPE_INFORMATIONAL)
                  {
                     //Process INFORMATIONAL response
                     error = ikeProcessInformationalResponse(sa, message, length);
                  }
                  else
                  {
                     //Unknown exchange type
                     error = ERROR_UNKNOWN_TYPE;
                  }
 
                  //Only authentication failures (AUTHENTICATION_FAILED) and
                  //malformed messages (INVALID_SYNTAX) lead to a deletion of
                  //the IKE SA without requiring an explicit INFORMATIONAL
                  //exchange carrying a Delete payload
                  if(sa->notifyMsgType == IKE_NOTIFY_MSG_TYPE_AUTH_FAILED ||
                     sa->notifyMsgType == IKE_NOTIFY_MSG_TYPE_INVALID_SYNTAX)
                  {
                     //This error notification is considered fatal in both peers
                     ikeDeleteSaEntry(sa);
                  }
               }
            }
            else
            {
               //Unexpected Message ID
               error = ERROR_WRONG_IDENTIFIER;
            }
         }
         else
         {
            //Unexpected response
            error = ERROR_UNEXPECTED_MESSAGE;
         }
      }
      else
      {
         //If a node receives a message on UDP port 500 or 4500 outside the
         //context of an IKE SA known to it, this may be the result of a
         //recent crash of the node. If the message is marked as a response,
         //the node can audit the suspicious event but must not respond
         error = ERROR_INVALID_SPI;
      }
   }
   else
   {
      //If an endpoint receives a message with a higher major version number,
      //it must drop the message
      error = ERROR_INVALID_VERSION;
   }
 
   //Return status code
   return error;
}
 
 
/**
 * @brief Process incoming IKE_SA_INIT request
 * @param[in] context Pointer to the IKE context
 * @param[in] message Pointer to the received IKE message
 * @param[in] length Length of the IKE message, in bytes
 * @return Error code
 **/
 
error_t ikeProcessIkeSaInitRequest(IkeContext *context, const uint8_t *message,
   size_t length)
{
   error_t error;
   IkeSaEntry *sa;
   const IkeHeader *ikeHeader;
   const IkeSaPayload *saPayload;
   const IkeKePayload *kePayload;
   const IkeNoncePayload *noncePayload;
#if (IKE_COOKIE_SUPPORT == ENABLED || IKE_SIGN_HASH_ALGOS_SUPPORT == ENABLED)
   const IkeNotifyPayload *notifyPayload;
#endif
 
   //Each message begins with the IKE header
   ikeHeader = (IkeHeader *) message;
 
   //The initiator's SPI must not be zero (refer to RFC 7296, section 3.1)
   if(osMemcmp(ikeHeader->initiatorSpi, IKE_INVALID_SPI, IKE_SPI_SIZE) == 0)
      return ERROR_INVALID_MESSAGE;
 
   //The responder's SPI must be zero in the first message of an IKE initial
   //exchange (including repeats of that message including a cookie)
   if(osMemcmp(ikeHeader->responderSpi, IKE_INVALID_SPI, IKE_SPI_SIZE) != 0)
      return ERROR_INVALID_MESSAGE;
 
   //The Message ID is a 32-bit quantity, which is zero for the IKE_SA_INIT
   //messages (including retries of the message due to responses such as
   //COOKIE and INVALID_KE_PAYLOAD)
   if(ntohl(ikeHeader->messageId) != 0)
      return ERROR_INVALID_MESSAGE;
 
   //The SAi payload states the cryptographic algorithms the initiator supports
   //for the IKE SA (refer to RFC 7296, section 1.2)
   saPayload = (IkeSaPayload *) ikeGetPayload(message, length,
      IKE_PAYLOAD_TYPE_SA, 0);
 
   //The KEi payload sends the initiator's Diffie-Hellman value
   kePayload = (IkeKePayload *) ikeGetPayload(message, length,
      IKE_PAYLOAD_TYPE_KE, 0);
 
   //The initiator sends its nonce in the Ni payload
   noncePayload = (IkeNoncePayload *) ikeGetPayload(message, length,
      IKE_PAYLOAD_TYPE_NONCE, 0);
 
   //Mandatory payloads must be included in the received message
   if(saPayload == NULL || kePayload == NULL || noncePayload == NULL)
      return ERROR_INVALID_MESSAGE;
 
   //When a responder receives an IKE_SA_INIT request, it has to determine
   //whether the packet is a retransmission belonging to an existing half-open
   //IKE SA, or a new request, or it belongs to an existing IKE SA where the
   //IKE_AUTH request has been already received (refer to RFC 7296, section 2.1)
   sa = ikeFindHalfOpenSaEntry(context, ikeHeader, noncePayload);
 
   //Existing IKE SA found?
   if(sa != NULL)
   {
      //Half-open IKE SA?
      if(sa->state == IKE_SA_STATE_AUTH_REQ)
      {
         //If the packet is a retransmission belonging to an existing half-open
         //IKE SA The responder retransmits the same response
         return ikeRetransmitResponse(sa);
      }
      else
      {
         //If the packet belongs to an existing IKE SA where the IKE_AUTH
         //request has been already received, then the responder ignores it
         return ERROR_UNEXPECTED_MESSAGE;
      }
   }
 
   //If the packet is a new request, the responder creates a new IKE SA and
   //sends a fresh response
   sa = ikeCreateSaEntry(context);
   //Failed to create IKE SA?
   if(sa == NULL)
      return ERROR_OUT_OF_RESOURCES;
 
   //Initialize IKE SA
   sa->remoteIpAddr = context->remoteIpAddr;
   sa->remotePort = IKE_PORT;
 
   //The original initiator always refers to the party who initiated the
   //exchange (refer to RFC 7296, section 2.2)
   sa->originalInitiator = FALSE;
 
   //The Message ID is zero for the IKE_SA_INIT messages
   sa->rxMessageId = 0;
 
   //Save initiator's IKE SPI
   osMemcpy(sa->initiatorSpi, ikeHeader->initiatorSpi, IKE_SPI_SIZE);
 
   //Save the length of the first message (IKE_SA_INIT request)
   sa->initiatorSaInitLen = length;
 
   //Start of exception handling block
   do
   {
      //Check whether the message contains an unsupported critical payload
      error = ikeCheckCriticalPayloads(message, length,
         &sa->unsupportedCriticalPayload);
 
      //Valid IKE message?
      if(error == NO_ERROR)
      {
         //The message is valid
      }
      else if(error == ERROR_UNSUPPORTED_OPTION)
      {
         //Reject the message and send an UNSUPPORTED_CRITICAL_PAYLOAD error
         sa->notifyMsgType = IKE_NOTIFY_MSG_TYPE_UNSUPPORTED_CRITICAL_PAYLOAD;
         break;
      }
      else
      {
         //Reject the message and send an INVALID_SYNTAX error
         sa->notifyMsgType = IKE_NOTIFY_MSG_TYPE_INVALID_SYNTAX;
         break;
      }
 
      //Save initiator's nonce
      error = ikeParseNoncePayload(noncePayload, sa->initiatorNonce,
         &sa->initiatorNonceLen);
 
      //Malformed nonce?
      if(error)
      {
         sa->notifyMsgType = IKE_NOTIFY_MSG_TYPE_INVALID_SYNTAX;
         break;
      }
 
#if (IKE_COOKIE_SUPPORT == ENABLED)
      //Any registered callbacks?
      if(context->cookieVerifyCallback != NULL &&
         context->cookieGenerateCallback != NULL)
      {
         //Check whether the response includes a COOKIE notification
         notifyPayload = ikeGetStatusNotifyPayload(message, length,
            IKE_NOTIFY_MSG_TYPE_COOKIE);
 
         //COOKIE notification received?
         if(notifyPayload != NULL)
         {
            //Save the received cookie
            error = ikeParseCookieNotification(sa, notifyPayload);
 
            //Malformed notification?
            if(error)
            {
               sa->notifyMsgType = IKE_NOTIFY_MSG_TYPE_INVALID_SYNTAX;
               break;
            }
         }
         else
         {
            //No cookie has been included in the IKE_SA_INIT message
            sa->cookieLen = 0;
         }
 
         //The cookie can be recomputed when the IKE_SA_INIT arrives the second
         //time and compared to the cookie in the received message
         error = context->cookieVerifyCallback(context,
            &context->remoteIpAddr, sa->initiatorSpi, sa->initiatorNonce,
            sa->initiatorNonceLen, sa->cookie, sa->cookieLen);
 
         //Check status code
         if(error == NO_ERROR)
         {
            //The received cookie is valid
         }
         else if(error == ERROR_WRONG_COOKIE)
         {
            //When one party receives an IKE_SA_INIT request containing a cookie
            //whose contents do not match the value expected, that party must
            //ignore the cookie and process the message as if no cookie had been
            //included (refer to RFC 7296, section 2.6)
            error = context->cookieGenerateCallback(context,
               &context->remoteIpAddr, sa->initiatorSpi, sa->initiatorNonce,
               sa->initiatorNonceLen, sa->cookie, &sa->cookieLen);
 
            //Check status code
            if(!error)
            {
               //Send a response containing a new cookie
               sa->notifyMsgType = IKE_NOTIFY_MSG_TYPE_COOKIE;
            }
            else
            {
               //Send an error response
               sa->notifyMsgType = IKE_NOTIFY_MSG_TYPE_TEMPORARY_FAILURE;
            }
 
            //Send IKE_SA_INIT response message
            break;
         }
         else
         {
            //Send an error response
            sa->notifyMsgType = IKE_NOTIFY_MSG_TYPE_TEMPORARY_FAILURE;
            break;
         }
      }
#endif
 
      //Check the syntax of the SAi payload
      error = ikeParseSaPayload(saPayload);
 
      //Malformed SAi payload?
      if(error)
      {
         sa->notifyMsgType = IKE_NOTIFY_MSG_TYPE_INVALID_SYNTAX;
         break;
      }
 
      //The responder must choose a single suite, which may be any subset of
      //the SA proposal (refer to RFC 7296, section 2.7)
      error = ikeSelectSaProposal(sa, saPayload, 0);
 
      //The responder must accept a single proposal or reject them all and
      //return an error. The error is given in a notification of type
      //NO_PROPOSAL_CHOSEN
      if(error)
      {
         sa->notifyMsgType = IKE_NOTIFY_MSG_TYPE_NO_PROPOSAL_CHOSEN;
         break;
      }
 
      //Nonces used in IKEv2 must be at least half the key size of the
      //negotiated pseudorandom function (refer to RFC 7296, section 2.10)
      error = ikeCheckNonceLength(sa, sa->initiatorNonceLen);
 
      //Unacceptable nonce length?
      if(error)
      {
         sa->notifyMsgType = IKE_NOTIFY_MSG_TYPE_INVALID_SYNTAX;
         break;
      }
 
      //The Key Exchange payload is used to exchange Diffie-Hellman public
      //numbers as part of a Diffie-Hellman key exchange
      error = ikeParseKePayload(sa, kePayload);
 
      //Check status code
      if(error == NO_ERROR)
      {
         //The Key Exchange payload is acceptable
      }
      else if(error == ERROR_INVALID_SYNTAX)
      {
         //The Key Exchange payload is malformed
         sa->notifyMsgType = IKE_NOTIFY_MSG_TYPE_INVALID_SYNTAX;
         break;
      }
      else if(error == ERROR_INVALID_GROUP)
      {
         //Reject the message with a Notify payload of type INVALID_KE_PAYLOAD
         sa->notifyMsgType = IKE_NOTIFY_MSG_TYPE_INVALID_KE_PAYLOAD;
         break;
      }
      else
      {
         //Report an error
         sa->notifyMsgType = IKE_NOTIFY_MSG_TYPE_TEMPORARY_FAILURE;
         break;
      }
 
#if (IKE_SIGN_HASH_ALGOS_SUPPORT == ENABLED)
      //Search the IKE_SA_INIT message for a Notify payload of type
      //SIGNATURE_HASH_ALGORITHMS
      notifyPayload = ikeGetStatusNotifyPayload(message, length,
         IKE_NOTIFY_MSG_TYPE_SIGNATURE_HASH_ALGORITHMS);
 
      //SIGNATURE_HASH_ALGORITHMS notification received?
      if(notifyPayload != NULL)
      {
         //This notification indicates the list of hash functions supported by
         //the sending peer (refer to RFC 7427, section 4)
         error = ikeParseSignHashAlgosNotification(sa, notifyPayload);
 
         //Malformed notification?
         if(error)
         {
            sa->notifyMsgType = IKE_NOTIFY_MSG_TYPE_INVALID_SYNTAX;
            break;
         }
      }
      else
      {
         //The notification is not present in the IKE_SA_INIT message
         sa->signHashAlgos = 0;
      }
#endif
 
      //End of exception handling block
   } while(0);
 
   //An IKE message flow always consists of a request followed by a response
   return ikeSendIkeSaInitResponse(sa);
}
 
 
/**
 * @brief Process incoming IKE_SA_INIT response
 * @param[in] sa Pointer to the IKE SA
 * @param[in] message Pointer to the received IKE message
 * @param[in] length Length of the IKE message, in bytes
 * @return Error code
 **/
 
error_t ikeProcessIkeSaInitResponse(IkeSaEntry *sa, const uint8_t *message,
   size_t length)
{
   error_t error;
   uint16_t notifyMsgType;
   const IkeHeader *ikeHeader;
   const IkeSaPayload *saPayload;
   const IkeKePayload *kePayload;
   const IkeNoncePayload *noncePayload;
   const IkeCertReqPayload *certReqPayload;
   const IkeNotifyPayload *notifyPayload;
 
   //Each message begins with the IKE header
   ikeHeader = (IkeHeader *) message;
 
   //Check the state of the IKE SA
   if(sa->state != IKE_SA_STATE_INIT_RESP)
      return ERROR_UNEXPECTED_MESSAGE;
 
   //Save the length of the second message (IKE_SA_INIT response)
   sa->responderSaInitLen = length;
 
   //Start of exception handling block
   do
   {
      //Payloads sent in IKE response messages must not have the critical flag
      //set (refer to RFC 7296, section 2.5)
      error = ikeCheckCriticalPayloads(message, length, NULL);
      //Any error to report?
      if(error)
         break;
 
      //Check whether the response includes a Notify payload indicating an error
      notifyPayload = ikeGetErrorNotifyPayload(message, length);
 
      //Error notification found?
      if(notifyPayload != NULL)
      {
         //Types in the range 0-16383 are intended for reporting errors
         notifyMsgType = ntohs(notifyPayload->notifyMsgType);
 
         //Some error notifications such as INVALID_KE_PAYLOAD may lead to a
         //subsequent successful exchange
         if(notifyMsgType == IKE_NOTIFY_MSG_TYPE_INVALID_KE_PAYLOAD)
         {
            //If the initiator guesses wrong, the responder will respond with a
            //Notify payload of type INVALID_KE_PAYLOAD indicating the selected
            //group (refer to RFC 7296, section 1.2)
            error = ikeParseInvalidKeyPayloadNotification(sa, notifyPayload);
            //Malformed notification?
            if(error)
               break;
 
            //Reinitialize Diffie-Hellman context
            ikeFreeDhContext(sa);
            ikeInitDhContext(sa);
 
            //Generate a new ephemeral key pair
            error = ikeGenerateDhKeyPair(sa);
            //Any error to report?
            if(error)
               break;
 
            //The initiator must retry the IKE_SA_INIT with the corrected
            //Diffie-Hellman group (refer to RFC 7296, section 1.2)
            error = ERROR_RETRY;
            break;
         }
         else
         {
            //An implementation receiving an error type that it does not
            //recognize in a response must assume that the corresponding
            //request has failed entirely (refer to RFC 7296, section 3.10.1)
            error = ERROR_UNEXPECTED_STATUS;
            break;
         }
      }
 
      //Check whether the response includes a COOKIE notification
      notifyPayload = ikeGetStatusNotifyPayload(message, length,
         IKE_NOTIFY_MSG_TYPE_COOKIE);
 
      //COOKIE notification received?
      if(notifyPayload != NULL)
      {
         //Save the received cookie
         error = ikeParseCookieNotification(sa, notifyPayload);
         //Malformed notification?
         if(error)
            break;
 
         //If the IKE_SA_INIT response includes the COOKIE notification, the
         //initiator must then retry the IKE_SA_INIT request
         error = ERROR_RETRY;
         break;
      }
 
      //The responder chooses a cryptographic suite from the initiator's offered
      //choices and expresses that choice in the SAr payload
      saPayload = (IkeSaPayload *) ikeGetPayload(message, length,
         IKE_PAYLOAD_TYPE_SA, 0);
 
      //The responder completes the Diffie-Hellman exchange with the KEr payload
      kePayload = (IkeKePayload *) ikeGetPayload(message, length,
         IKE_PAYLOAD_TYPE_KE, 0);
 
      //The responder sends its nonce in the Nr payload
      noncePayload = (IkeNoncePayload *) ikeGetPayload(message, length,
         IKE_PAYLOAD_TYPE_NONCE, 0);
 
      //A Certificate Request payload can optionally be included
      certReqPayload = (IkeCertReqPayload *) ikeGetPayload(message, length,
         IKE_PAYLOAD_TYPE_CERTREQ, 0);
 
      //Mandatory payloads must be included in the received message
      if(saPayload == NULL || kePayload == NULL || noncePayload == NULL)
      {
         error = ERROR_INVALID_MESSAGE;
         break;
      }
 
      //The responder's SPI must not be zero
      if(osMemcmp(ikeHeader->responderSpi, IKE_INVALID_SPI, IKE_SPI_SIZE) == 0)
      {
         error = ERROR_INVALID_MESSAGE;
         break;
      }
 
      //Save responder's IKE SPI
      osMemcpy(sa->responderSpi, ikeHeader->responderSpi, IKE_SPI_SIZE);
 
      //Save responder's nonce
      error = ikeParseNoncePayload(noncePayload, sa->responderNonce,
         &sa->responderNonceLen);
      //Malformed nonce?
      if(error)
         break;
 
      //Check the syntax of the SAr payload
      error = ikeParseSaPayload(saPayload);
      //Malformed SAr payload?
      if(error)
         break;
 
      //The initiator of an exchange must check that the accepted offer is
      //consistent with one of its proposals, and if not must terminate the
      //exchange (refer to RFC 7296, section 3.3.6)
      error = ikeCheckSaProposal(sa, saPayload);
      //Invalid cryptographic suite?
      if(error)
         break;
 
      //Nonces used in IKEv2 must be at least half the key size of the
      //negotiated pseudorandom function (refer to RFC 7296, section 2.10)
      error = ikeCheckNonceLength(sa, sa->responderNonceLen);
      //Unacceptable nonce length?
      if(error)
         break;
 
      //The Key Exchange payload is used to exchange Diffie-Hellman public
      //numbers as part of a Diffie-Hellman key exchange
      error = ikeParseKePayload(sa, kePayload);
      //Any error to report?
      if(error)
         break;
 
      //The Certificate Request payload is optional
      if(certReqPayload != NULL)
      {
         //The Certificate Request payload provides a means to request preferred
         //certificates via IKE (refer to RFC 7296, section 3.7)
         error = ikeParseCertReqPayload(sa, certReqPayload);
         //Any error to report?
         if(error)
            break;
      }
 
#if (IKE_SIGN_HASH_ALGOS_SUPPORT == ENABLED)
      //Search the IKE_SA_INIT message for a Notify payload of type
      //SIGNATURE_HASH_ALGORITHMS
      notifyPayload = ikeGetStatusNotifyPayload(message, length,
         IKE_NOTIFY_MSG_TYPE_SIGNATURE_HASH_ALGORITHMS);
 
      //SIGNATURE_HASH_ALGORITHMS notification received?
      if(notifyPayload != NULL)
      {
         //This notification indicates the list of hash functions supported by
         //the sending peer (refer to RFC 7427, section 4)
         error = ikeParseSignHashAlgosNotification(sa, notifyPayload);
         //Any error to report?
         if(error)
            break;
      }
      else
      {
         //The notification is not present in the IKE_SA_INIT message
         sa->signHashAlgos = 0;
      }
#endif
 
      //End of exception handling block
   } while(0);
 
   //Check status code
   if(error == NO_ERROR)
   {
      //The second pair of messages (IKE_AUTH) authenticate the previous
      //messages, exchange identities and certificates, and establish the
      //first Child SA
      error = ikeSendIkeAuthRequest(sa);
   }
   else if(error == ERROR_RETRY)
   {
      //The initiator must then retry the IKE_SA_INIT request
      error = ikeSendIkeSaInitRequest(sa);
   }
   else
   {
      //The IKE_SA_INIT exchange has failed
      ikeDeleteSaEntry(sa);
   }
 
   //Return status code
   return error;
}
 
 
/**
 * @brief Process incoming IKE_AUTH request
 * @param[in] sa Pointer to the IKE SA
 * @param[in] message Pointer to the received IKE message
 * @param[in] length Length of the IKE message, in bytes
 * @return Error code
 **/
 
error_t ikeProcessIkeAuthRequest(IkeSaEntry *sa, const uint8_t *message,
   size_t length)
{
   error_t error;
   IkeChildSaEntry *childSa;
   IpsecPadEntry *padEntry;
   const IkeIdPayload *idPayload;
   const IkeCertPayload *certPayload;
   const IkeCertReqPayload *certReqPayload;
   const IkeAuthPayload *authPayload;
   const IkeSaPayload *saPayload;
   const IkeTsPayload *tsiPayload;
   const IkeTsPayload *tsrPayload;
 
   //Initialize Child SA
   childSa = NULL;
 
   //Check the state of the IKE SA
   if(sa->state != IKE_SA_STATE_AUTH_REQ)
      return ERROR_UNEXPECTED_MESSAGE;
 
   //Start of exception handling block
   do
   {
      //Check whether the message contains an unsupported critical payload
      error = ikeCheckCriticalPayloads(message, length,
         &sa->unsupportedCriticalPayload);
 
      //Valid IKE message?
      if(error == NO_ERROR)
      {
         //The message is valid
      }
      else if(error == ERROR_UNSUPPORTED_OPTION)
      {
         //Reject the message and send an UNSUPPORTED_CRITICAL_PAYLOAD error
         sa->notifyMsgType = IKE_NOTIFY_MSG_TYPE_UNSUPPORTED_CRITICAL_PAYLOAD;
         break;
      }
      else
      {
         //Reject the message and send an INVALID_SYNTAX error
         sa->notifyMsgType = IKE_NOTIFY_MSG_TYPE_INVALID_SYNTAX;
         break;
      }
 
      //The initiator asserts its identity with the IDi payload (refer to
      //RFC 7296, section 1.2)
      idPayload = (IkeIdPayload *) ikeGetPayload(message, length,
         IKE_PAYLOAD_TYPE_IDI, 0);
 
      //The Certificate payload provides a means to transport certificates or
      //other authentication-related information via IKE
      certPayload = (IkeCertPayload *) ikeGetPayload(message, length,
         IKE_PAYLOAD_TYPE_CERT, 0);
 
      //A Certificate Request payload can optionally be included
      certReqPayload = (IkeCertReqPayload *) ikeGetPayload(message, length,
         IKE_PAYLOAD_TYPE_CERTREQ, 0);
 
      //The initiator proves knowledge of the secret corresponding to IDi and
      //integrity protects the contents of the first message using the AUTH
      //payload
      authPayload = (IkeAuthPayload *) ikeGetPayload(message, length,
         IKE_PAYLOAD_TYPE_AUTH, 0);
 
      //Mandatory payloads must be included in the received message
      if(idPayload == NULL || authPayload == NULL)
      {
         sa->notifyMsgType = IKE_NOTIFY_MSG_TYPE_INVALID_SYNTAX;
         break;
      }
 
      //Parse Identification payload
      error = ikeParseIdPayload(sa, idPayload);
 
      //Malformed Identification payload?
      if(error)
      {
         sa->notifyMsgType = IKE_NOTIFY_MSG_TYPE_INVALID_SYNTAX;
         break;
      }
 
      //Perform lookup in the PAD database based on the ID
      padEntry = ipsecFindPadEntry(netContext.ipsecContext, sa->peerIdType,
         sa->peerId, sa->peerIdLen);
 
      //All errors causing the authentication to fail for whatever reason
      //(invalid shared secret, invalid ID, untrusted certificate issuer,
      //revoked or expired certificate, etc.) should result in an
      //AUTHENTICATION_FAILED notification
      if(padEntry == NULL)
      {
         sa->notifyMsgType = IKE_NOTIFY_MSG_TYPE_AUTH_FAILED;
         break;
      }
 
#if (IKE_CERT_AUTH_SUPPORT == ENABLED)
      //Check whether a Certificate payload is included
      if(certPayload != NULL)
      {
         //Parse the certificate chain
         error = ikeParseCertificateChain(sa, padEntry, message, length);
 
         //Failed to validate certificate chain?
         if(error)
         {
            sa->notifyMsgType = IKE_NOTIFY_MSG_TYPE_AUTH_FAILED;
            break;
         }
      }
#endif
 
      //The peers are authenticated by having each sign (or MAC using a padded
      //shared secret as the key, as described later in this section) a block
      //of data (refer to RFC 7296, section 2.15)
      error = ikeVerifyAuth(sa, padEntry, idPayload, certPayload, authPayload);
 
      //Authentication failure?
      if(error)
      {
         sa->notifyMsgType = IKE_NOTIFY_MSG_TYPE_AUTH_FAILED;
         break;
      }
 
      //The Certificate Request payload is optional
      if(certReqPayload != NULL)
      {
         //The Certificate Request payload provides a means to request preferred
         //certificates via IKE (refer to RFC 7296, section 3.7)
         error = ikeParseCertReqPayload(sa, certReqPayload);
 
         //Malformed Certificate Request payload?
         if(error)
         {
            sa->notifyMsgType = IKE_NOTIFY_MSG_TYPE_INVALID_SYNTAX;
            break;
         }
      }
 
      //The initiator begins negotiation of a Child SA using the SAi payload
      saPayload = (IkeSaPayload *) ikeGetPayload(message, length,
         IKE_PAYLOAD_TYPE_SA, 0);
 
      //TSi specifies the source address of traffic forwarded from (or the
      //destination address of traffic forwarded to) the initiator of the
      //Child SA pair
      tsiPayload = (IkeTsPayload *) ikeGetPayload(message, length,
         IKE_PAYLOAD_TYPE_TSI, 0);
 
      //TSr specifies the destination address of the traffic forwarded to (or
      //the source address of the traffic forwarded from) the responder of the
      //Child SA pair
      tsrPayload = (IkeTsPayload *) ikeGetPayload(message, length,
         IKE_PAYLOAD_TYPE_TSR, 0);
 
      //Child SAs can be created either by being piggybacked on the IKE_AUTH
      //exchange, or using a separate CREATE_CHILD_SA exchange
      if(saPayload != NULL && tsiPayload != NULL && tsrPayload != NULL)
      {
         //Create a new Child SA
         childSa = ikeCreateChildSaEntry(sa->context);
 
         //Failed to create Child SA?
         if(childSa == NULL)
         {
            sa->notifyMsgType = IKE_NOTIFY_MSG_TYPE_TEMPORARY_FAILURE;
            break;
         }
 
         //Initialize Child SA
         childSa->sa = sa;
         childSa->mode = IPSEC_MODE_TUNNEL;
         childSa->initiator = FALSE;
 
         //Generate a new SPI for the Child SA
         error = ikeGenerateChildSaSpi(childSa, childSa->localSpi);
 
         //Any error to report?
         if(error)
         {
            sa->notifyMsgType = IKE_NOTIFY_MSG_TYPE_TEMPORARY_FAILURE;
            break;
         }
 
         //IKEv2 allows the responder to choose a subset of the traffic proposed
         //by the initiator (refer to RFC 7296, section 2.9)
         error = ikeSelectTs(childSa, tsiPayload, tsrPayload);
 
         //If the responder's policy does not allow it to accept any part of
         //the proposed Traffic Selectors, it responds with a TS_UNACCEPTABLE
         //Notify message
         if(error)
         {
            sa->notifyMsgType = IKE_NOTIFY_MSG_TYPE_TS_UNACCEPTABLE;
            break;
         }
 
         //Check the syntax of the SAi payload
         error = ikeParseSaPayload(saPayload);
 
         //Malformed SAi payload?
         if(error)
         {
            sa->notifyMsgType = IKE_NOTIFY_MSG_TYPE_INVALID_SYNTAX;
            break;
         }
 
         //The responder must choose a single suite, which may be any subset
         //of the SA proposal (refer to RFC 7296, section 2.7)
         error = ikeSelectChildSaProposal(childSa, saPayload);
 
         //The responder must accept a single proposal or reject them all and
         //return an error. The error is given in a notification of type
         //NO_PROPOSAL_CHOSEN
         if(error)
         {
            sa->notifyMsgType = IKE_NOTIFY_MSG_TYPE_NO_PROPOSAL_CHOSEN;
            break;
         }
 
         //The USE_TRANSPORT_MODE notification may be included in a request
         //message that also includes an SA payload requesting a Child SA
         if(ikeGetStatusNotifyPayload(message, length,
            IKE_NOTIFY_MSG_TYPE_USE_TRANSPORT_MODE) != NULL)
         {
            //It requests that the Child SA use transport mode rather than
            //tunnel mode for the SA created
            childSa->mode = IPSEC_MODE_TRANSPORT;
         }
 
         //Attach the newly created Child SA to the IKE SA
         sa->childSa = childSa;
      }
 
#if (IKE_INITIAL_CONTACT_SUPPORT == ENABLED)
      //The INITIAL_CONTACT notification asserts that this IKE SA is the only
      //IKE SA currently active between the authenticated identities
      if(ikeGetStatusNotifyPayload(message, length,
         IKE_NOTIFY_MSG_TYPE_INITIAL_CONTACT) != NULL)
      {
         //It may be sent when an IKE SA is established after a crash, and the
         //recipient may use this information to delete any other IKE SAs it
         //has to the same authenticated identity without waiting for a timeout
         sa->initialContact = TRUE;
      }
#endif
 
      //End of exception handling block
   } while(0);
 
   //Failed to create Child SA?
   if(sa->notifyMsgType == IKE_NOTIFY_MSG_TYPE_NO_PROPOSAL_CHOSEN ||
      sa->notifyMsgType == IKE_NOTIFY_MSG_TYPE_TS_UNACCEPTABLE ||
      sa->notifyMsgType == IKE_NOTIFY_MSG_TYPE_SINGLE_PAIR_REQUIRED ||
      sa->notifyMsgType == IKE_NOTIFY_MSG_TYPE_INTERNAL_ADDRESS_FAILURE ||
      sa->notifyMsgType == IKE_NOTIFY_MSG_TYPE_FAILED_CP_REQUIRED)
   {
      //If creating the Child SA during the IKE_AUTH exchange fails for some
      //reason, the IKE SA is still created as usual (refer to RFC 7296,
      //section 1.2)
      if(childSa != NULL)
      {
         ikeDeleteChildSaEntry(childSa);
      }
   }
 
   //An IKE message flow always consists of a request followed by a response
   return ikeSendIkeAuthResponse(sa);
}
 
 
/**
 * @brief Process incoming IKE_AUTH response
 * @param[in] sa Pointer to the IKE SA
 * @param[in] message Pointer to the received IKE message
 * @param[in] length Length of the IKE message, in bytes
 * @return Error code
 **/
 
error_t ikeProcessIkeAuthResponse(IkeSaEntry *sa, const uint8_t *message,
   size_t length)
{
   error_t error;
   uint16_t notifyMsgType;
   IkeChildSaEntry *childSa;
   IpsecPadEntry *padEntry;
   const IkeIdPayload *idPayload;
   const IkeCertPayload *certPayload;
   const IkeAuthPayload *authPayload;
   const IkeSaPayload *saPayload;
   const IkeNotifyPayload *notifyPayload;
   const IkeTsPayload *tsiPayload;
   const IkeTsPayload *tsrPayload;
 
   //Point to the Child SA
   childSa = sa->childSa;
 
   //Start of exception handling block
   do
   {
      //Check the state of the IKE SA
      if(sa->state != IKE_SA_STATE_AUTH_RESP)
      {
         error = ERROR_UNEXPECTED_MESSAGE;
         break;
      }
 
      //Payloads sent in IKE response messages must not have the critical flag
      //set (refer to RFC 7296, section 2.5)
      error = ikeCheckCriticalPayloads(message, length, NULL);
      //Any error to report?
      if(error)
         break;
 
      //Check whether the response includes a Notify payload indicating an error
      notifyPayload = ikeGetErrorNotifyPayload(message, length);
 
      //Error notification found?
      if(notifyPayload != NULL)
      {
         //Types in the range 0-16383 are intended for reporting errors
         notifyMsgType = ntohs(notifyPayload->notifyMsgType);
 
         //If creating the Child SA during the IKE_AUTH exchange fails for some
         //reason, the IKE SA is still created as usual (refer to RFC 7296,
         //section 1.2)
         if(notifyMsgType != IKE_NOTIFY_MSG_TYPE_NO_PROPOSAL_CHOSEN &&
            notifyMsgType != IKE_NOTIFY_MSG_TYPE_TS_UNACCEPTABLE &&
            notifyMsgType != IKE_NOTIFY_MSG_TYPE_SINGLE_PAIR_REQUIRED &&
            notifyMsgType != IKE_NOTIFY_MSG_TYPE_INTERNAL_ADDRESS_FAILURE &&
            notifyMsgType != IKE_NOTIFY_MSG_TYPE_FAILED_CP_REQUIRED)
         {
            error = ERROR_UNEXPECTED_STATUS;
            break;
         }
      }
 
      //The responder asserts its identity with the IDr payload (refer to
      //RFC 7296, section 1.2)
      idPayload = (IkeIdPayload *) ikeGetPayload(message, length,
         IKE_PAYLOAD_TYPE_IDR, 0);
 
      //The Certificate payload provides a means to transport certificates or
      //other authentication-related information via IKE
      certPayload = (IkeCertPayload *) ikeGetPayload(message, length,
         IKE_PAYLOAD_TYPE_CERT, 0);
 
      //The responder authenticates its identity and protects the integrity
      //of the second message with the AUTH payload
      authPayload = (IkeAuthPayload *) ikeGetPayload(message, length,
         IKE_PAYLOAD_TYPE_AUTH, 0);
 
      //Mandatory payloads must be included in the received message
      if(idPayload == NULL || authPayload == NULL)
      {
         error = ERROR_AUTHENTICATION_FAILED;
         break;
      }
 
      //Parse Identification payload
      error = ikeParseIdPayload(sa, idPayload);
      //Malformed Identification payload?
      if(error)
      {
         error = ERROR_AUTHENTICATION_FAILED;
         break;
      }
 
      //Perform lookup in the PAD database based on the ID
      padEntry = ipsecFindPadEntry(netContext.ipsecContext, sa->peerIdType,
         sa->peerId, sa->peerIdLen);
      //Invalid ID?
      if(padEntry == NULL)
      {
         error = ERROR_AUTHENTICATION_FAILED;
         break;
      }
 
#if (IKE_CERT_AUTH_SUPPORT == ENABLED)
      //Check whether a Certificate payload is included
      if(certPayload != NULL)
      {
         //Parse the certificate chain
         error = ikeParseCertificateChain(sa, padEntry, message, length);
         //Failed to validate certificate chain?
         if(error)
         {
            error = ERROR_AUTHENTICATION_FAILED;
            break;
         }
      }
#endif
 
      //The peers are authenticated by having each sign (or MAC using a padded
      //shared secret as the key, as described later in this section) a block
      //of data (refer to RFC 7296, section 2.15)
      error = ikeVerifyAuth(sa, padEntry, idPayload, certPayload, authPayload);
      //Authentication failure?
      if(error)
      {
         error = ERROR_AUTHENTICATION_FAILED;
         break;
      }
 
      //The responder completes negotiation of a Child SA with additional fields
      if(childSa != NULL)
      {
         //Successful Child SA creation?
         if(notifyPayload == NULL)
         {
            //The responder chooses a cryptographic suite from the initiator's
            //offered choices and expresses that choice in the SAr payload
            saPayload = (IkeSaPayload *) ikeGetPayload(message, length,
               IKE_PAYLOAD_TYPE_SA, 0);
 
            //TSi specifies the source address of traffic forwarded from (or
            //the destination address of traffic forwarded to) the initiator
            //of the Child SA pair
            tsiPayload = (IkeTsPayload *) ikeGetPayload(message, length,
               IKE_PAYLOAD_TYPE_TSI, 0);
 
            //TSr specifies the destination address of the traffic forwarded
            //to (or the source address of the traffic forwarded from) the
            //responder of the Child SA pair
            tsrPayload = (IkeTsPayload *) ikeGetPayload(message, length,
               IKE_PAYLOAD_TYPE_TSR, 0);
 
            //Mandatory payloads must be included in the received message
            if(saPayload == NULL || tsiPayload == NULL || tsrPayload == NULL)
            {
               error = ERROR_INVALID_MESSAGE;
               break;
            }
 
            //Check the syntax of the SAr payload
            error = ikeParseSaPayload(saPayload);
            //Malformed SAr payload?
            if(error)
               break;
 
            //The initiator of an exchange must check that the accepted offer
            //is consistent with one of its proposals, and if not must terminate
            //the exchange (refer to RFC 7296, section 3.3.6)
            error = ikeCheckChildSaProposal(childSa, saPayload);
            //Invalid cryptographic suite?
            if(error)
               break;
 
            //When the responder chooses a subset of the traffic proposed by
            //the initiator, it narrows the Traffic Selectors to some subset
            //of the initiator's proposal (refer to RFC 7296, section 2.9)
            error = ikeCheckTs(childSa, tsiPayload, tsrPayload);
            //Invalid traffic selector?
            if(error)
               break;
 
            //The initiator can request that the Child SA use transport mode rather
            //than tunnel mode for the SA created
            if(childSa->mode == IPSEC_MODE_TRANSPORT)
            {
               //If the request is accepted, the response must also include a
               //notification of type USE_TRANSPORT_MODE
               if(ikeGetStatusNotifyPayload(message, length,
                  IKE_NOTIFY_MSG_TYPE_USE_TRANSPORT_MODE) == NULL)
               {
                  //Use tunnel mode
                  childSa->mode = IPSEC_MODE_TUNNEL;
               }
            }
 
            //For the first Child SA created, Ni and Nr are the nonces from the
            //IKE_SA_INIT exchange (refer to RFC 7296, section 2.17)
            osMemcpy(childSa->initiatorNonce, sa->initiatorNonce,
               sa->initiatorNonceLen);
            osMemcpy(childSa->responderNonce, sa->responderNonce,
               sa->responderNonceLen);
 
            //Save the length of Ni and Nr nonces
            childSa->initiatorNonceLen = sa->initiatorNonceLen;
            childSa->responderNonceLen = sa->responderNonceLen;
 
            //A single Child SA is created by the IKE_AUTH exchange. Keying
            //material for the Child SA must be taken from the expanded KEYMAT
            //(refer to RFC 7296, section 2.17)
            error = ikeGenerateChildSaKeyMaterial(childSa);
            //Any error to report?
            if(error)
               break;
         }
         else
         {
            //The Child SA creation has failed
            ikeDeleteChildSaEntry(childSa);
            sa->childSa = NULL;
            childSa = NULL;
         }
      }
 
#if (IKE_INITIAL_CONTACT_SUPPORT == ENABLED)
      //The INITIAL_CONTACT notification asserts that this IKE SA is the only
      //IKE SA currently active between the authenticated identities
      if(ikeGetStatusNotifyPayload(message, length,
         IKE_NOTIFY_MSG_TYPE_INITIAL_CONTACT) != NULL)
      {
         //It may be sent when an IKE SA is established after a crash, and the
         //recipient may use this information to delete any other IKE SAs it
         //has to the same authenticated identity without waiting for a timeout
         ikeDeleteDuplicateSaEntries(sa);
      }
#endif
 
      //End of exception handling block
   } while(0);
 
   //Check status code
   if(error == NO_ERROR)
   {
      //The initiator has received the IKE_AUTH response
      ikeChangeSaState(sa, IKE_SA_STATE_OPEN);
 
      //Successful Child SA creation?
      if(childSa != NULL)
      {
         //Update the state of the Child SA
         ikeChangeChildSaState(childSa, IKE_CHILD_SA_STATE_OPEN);
 
         //ESP and AH SAs exist in pairs (one in each direction), so two SAs
         //are created in a single Child SA negotiation for them
         ikeCreateIpsecSaPair(childSa);
      }
 
      //Check whether reauthentication is on-going
      if(sa->oldSa != NULL)
      {
         //IKEv2 does not have any special support for reauthentication.
         //Reauthentication is done by creating a new IKE SA from scratch,
         //creating new Child SAs within the new IKE SA, and finally deleting
         //the old IKE SA
         ikeProcessSaDeleteEvent(sa->oldSa);
 
         //Detach the old IKE SA
         sa->oldSa = NULL;
      }
   }
   else if(error == ERROR_AUTHENTICATION_FAILED)
   {
      //All errors causing the authentication to fail for whatever reason
      //(invalid shared secret, invalid ID, untrusted certificate issuer,
      //revoked or expired certificate, etc.) should result in an
      //AUTHENTICATION_FAILED notification
      ikeChangeSaState(sa, IKE_SA_STATE_AUTH_FAILURE_REQ);
 
      //If the error occurs on the initiator, the notification may be returned
      //in a separate INFORMATIONAL exchange, usually with no other payloads.
      //This is an exception for the general rule of not starting new exchanges
      //based on errors in responses (refer to RFC 7296, section 2.21.2)
      ikeSendInformationalRequest(sa);
   }
   else
   {
      //The IKE_AUTH exchange has failed
      ikeDeleteSaEntry(sa);
   }
 
   //Return status code
   return error;
}
 
 
/**
 * @brief Process incoming CREATE_CHILD_SA request
 * @param[in] sa Pointer to the IKE SA
 * @param[in] message Pointer to the received IKE message
 * @param[in] length Length of the IKE message, in bytes
 * @return Error code
 **/
 
error_t ikeProcessCreateChildSaRequest(IkeSaEntry *sa, const uint8_t *message,
   size_t length)
{
   //The CREATE_CHILD_SA exchange may be initiated by either end of the IKE SA
   //after the initial exchanges are completed (refer to RFC 7296, section 1.3)
   if(sa->state < IKE_SA_STATE_OPEN)
      return ERROR_UNEXPECTED_MESSAGE;
 
   //A minimal implementation may support the CREATE_CHILD_SA exchange only in
   //so far as to recognize requests and reject them with a Notify payload of
   //type NO_ADDITIONAL_SAS (refer to RFC 7296, section 4)
   sa->notifyMsgType = IKE_NOTIFY_MSG_TYPE_NO_ADDITIONAL_SAS;
 
   //An IKE message flow always consists of a request followed by a response
   return ikeSendCreateChildSaResponse(sa, NULL);
}
 
 
/**
 * @brief Process incoming CREATE_CHILD_SA response
 * @param[in] sa Pointer to the IKE SA
 * @param[in] message Pointer to the received IKE message
 * @param[in] length Length of the IKE message, in bytes
 * @return Error code
 **/
 
error_t ikeProcessCreateChildSaResponse(IkeSaEntry *sa, const uint8_t *message,
   size_t length)
{
   //Minimal implementations are not required to support the CREATE_CHILD_SA
   //exchange (refer to RFC 7296, section 4)
   return ERROR_UNEXPECTED_MESSAGE;
}
 
 
/**
 * @brief Process incoming INFORMATIONAL request
 * @param[in] sa Pointer to the IKE SA
 * @param[in] message Pointer to the received IKE message
 * @param[in] length Length of the IKE message, in bytes
 * @return Error code
 **/
 
error_t ikeProcessInformationalRequest(IkeSaEntry *sa, const uint8_t *message,
   size_t length)
{
   error_t error;
   uint_t i;
   uint16_t notifyMsgType;
   const IkeDeletePayload *deletePayload;
   const IkeNotifyPayload *notifyPayload;
 
   //INFORMATIONAL exchanges must only occur after the initial exchanges
   //and are cryptographically protected with the negotiated keys (refer to
   //RFC 7296, section 1.4)
   if(sa->state < IKE_SA_STATE_OPEN)
      return ERROR_UNEXPECTED_MESSAGE;
 
   //Start of exception handling block
   do
   {
      //Check whether the message contains an unsupported critical payload
      error = ikeCheckCriticalPayloads(message, length,
         &sa->unsupportedCriticalPayload);
 
      //Valid IKE message?
      if(error == NO_ERROR)
      {
         //The message is valid
      }
      else if(error == ERROR_UNSUPPORTED_OPTION)
      {
         //Reject the message and send an UNSUPPORTED_CRITICAL_PAYLOAD error
         sa->notifyMsgType = IKE_NOTIFY_MSG_TYPE_UNSUPPORTED_CRITICAL_PAYLOAD;
         break;
      }
      else
      {
         //Reject the message and send an INVALID_SYNTAX error
         sa->notifyMsgType = IKE_NOTIFY_MSG_TYPE_INVALID_SYNTAX;
         break;
      }
 
      //Check whether the response includes a Notify payload indicating an error
      notifyPayload = ikeGetErrorNotifyPayload(message, length);
 
      //Error notification found?
      if(notifyPayload != NULL)
      {
         //Types in the range 0-16383 are intended for reporting errors
         notifyMsgType = ntohs(notifyPayload->notifyMsgType);
 
         //Check error type
         if(notifyMsgType == IKE_NOTIFY_MSG_TYPE_AUTH_FAILED ||
            notifyMsgType == IKE_NOTIFY_MSG_TYPE_INVALID_SYNTAX)
         {
            //This error notification is considered fatal in both peers
            sa->deleteReceived = TRUE;
         }
         else
         {
            //Unrecognized error types in a request must be ignored (refer to
            //RFC 7296, section 3.10.1)
         }
      }
 
      //To delete an SA, an INFORMATIONAL exchange with one or more Delete
      //payloads is sent listing the SPIs of the SAs to be deleted (refer to
      //RFC 7296, section 1.4.1)
      for(i = 0; ; i++)
      {
         //Extract next Delete payload
         deletePayload = (IkeDeletePayload *) ikeGetPayload(message, length,
            IKE_PAYLOAD_TYPE_D, i);
 
         //Delete payload not found?
         if(deletePayload == NULL)
            break;
 
         //The Delete payload list the SPIs to be deleted
         error = ikeParseDeletePayload(sa, deletePayload, FALSE);
 
         //Malformed payload?
         if(error)
         {
            sa->notifyMsgType = IKE_NOTIFY_MSG_TYPE_INVALID_SYNTAX;
            break;
         }
      }
 
      //End of exception handling block
   } while(0);
 
   //An IKE message flow always consists of a request followed by a response
   return ikeSendInformationalResponse(sa);
}
 
 
/**
 * @brief Process incoming INFORMATIONAL response
 * @param[in] sa Pointer to the IKE SA
 * @param[in] message Pointer to the received IKE message
 * @param[in] length Length of the IKE message, in bytes
 * @return Error code
 **/
 
error_t ikeProcessInformationalResponse(IkeSaEntry *sa, const uint8_t *message,
   size_t length)
{
   error_t error;
   uint_t i;
   const IkeDeletePayload *deletePayload;
   const IkeNotifyPayload *notifyPayload;
 
   //Start of exception handling block
   do
   {
      //Check the state of the IKE SA
      if(sa->state != IKE_SA_STATE_DPD_RESP &&
         sa->state != IKE_SA_STATE_DELETE_RESP &&
         sa->state != IKE_SA_STATE_DELETE_CHILD_RESP &&
         sa->state != IKE_SA_STATE_AUTH_FAILURE_RESP)
      {
         error = ERROR_UNEXPECTED_MESSAGE;
         break;
      }
 
      //Payloads sent in IKE response messages must not have the critical flag
      //set (refer to RFC 7296, section 2.5)
      error = ikeCheckCriticalPayloads(message, length, NULL);
      //Any error to report?
      if(error)
         break;
 
      //Check whether the response includes a Notify payload indicating an error
      notifyPayload = ikeGetErrorNotifyPayload(message, length);
 
      //Error notification found?
      if(notifyPayload != NULL)
      {
         //An implementation receiving an error type that it does not recognize
         //in a response must assume that the corresponding request has failed
         //entirely (refer to RFC 7296, section 3.10.1)
         error = ERROR_UNEXPECTED_STATUS;
         break;
      }
 
      //The response in the INFORMATIONAL exchange will contain Delete payloads
      //for the paired SAs going in the other direction
      for(i = 0; ; i++)
      {
         //Extract next Delete payload
         deletePayload = (IkeDeletePayload *) ikeGetPayload(message, length,
            IKE_PAYLOAD_TYPE_D, i);
         //Delete payload not found?
         if(deletePayload == NULL)
            break;
 
         //The Delete payload list the SPIs to be deleted
         error = ikeParseDeletePayload(sa, deletePayload, TRUE);
         //Malformed payload?
         if(error)
            break;
      }
 
      //End of exception handling block
   } while(0);
 
   //Check status code
   if(error == NO_ERROR)
   {
      //Check the state of the IKE SA
      if(sa->state == IKE_SA_STATE_DPD_RESP)
      {
         //Receipt of a fresh cryptographically protected message on an IKE SA
         //ensures liveness of the IKE SA and all of its Child SAs
         ikeChangeSaState(sa, IKE_SA_STATE_OPEN);
      }
      else if(sa->state == IKE_SA_STATE_DELETE_RESP ||
         sa->state == IKE_SA_STATE_AUTH_FAILURE_RESP)
      {
         //Deleting an IKE SA implicitly closes any remaining Child SAs
         //negotiated under it (refer to RFC 7296, section 1.4.1)
         ikeDeleteSaEntry(sa);
      }
      else if(sa->state == IKE_SA_STATE_DELETE_CHILD_RESP)
      {
         //Update the state of the IKE SA
         ikeChangeSaState(sa, IKE_SA_STATE_OPEN);
      }
      else
      {
         //Just for sanity
      }
   }
   else
   {
      //Delete the IKE SA
      ikeDeleteSaEntry(sa);
   }
 
   //Return status code
   return error;
}
 
#endif