ike_message_parse.c
Go to the documentation of this file.
AH algorithm negotiation.
Debugging facilities.
ESP algorithm negotiation.
IKEv2 (Internet Key Exchange Protocol)
@ IKE_NOTIFY_MSG_TYPE_NO_PROPOSAL_CHOSEN
Definition: ike.h:1012
@ IKE_NOTIFY_MSG_TYPE_INTERNAL_ADDRESS_FAILURE
Definition: ike.h:1017
@ IKE_NOTIFY_MSG_TYPE_SINGLE_PAIR_REQUIRED
Definition: ike.h:1015
@ IKE_NOTIFY_MSG_TYPE_USE_TRANSPORT_MODE
Definition: ike.h:1036
@ IKE_NOTIFY_MSG_TYPE_UNSUPPORTED_CRITICAL_PAYLOAD
Definition: ike.h:1006
@ IKE_NOTIFY_MSG_TYPE_INVALID_KE_PAYLOAD
Definition: ike.h:1013
@ IKE_NOTIFY_MSG_TYPE_SIGNATURE_HASH_ALGORITHMS
Definition: ike.h:1076
@ IKE_NOTIFY_MSG_TYPE_FAILED_CP_REQUIRED
Definition: ike.h:1018
error_t ikeSelectChildSaProposal(IkeChildSaEntry *childSa, const IkeSaPayload *payload)
Select a single proposal (AH or ESP protocol)
Definition: ike_algorithms.c:1854
error_t ikeCheckSaProposal(IkeSaEntry *sa, const IkeSaPayload *payload)
Check whether the selected proposal is acceptable (IKE protocol)
Definition: ike_algorithms.c:1892
error_t ikeSelectSaProposal(IkeSaEntry *sa, const IkeSaPayload *payload, size_t spiSize)
Select a single proposal (IKE protocol)
Definition: ike_algorithms.c:1726
error_t ikeCheckChildSaProposal(IkeChildSaEntry *childSa, const IkeSaPayload *payload)
Check whether the selected proposal is acceptable (AH or ESP protocol)
Definition: ike_algorithms.c:2028
IKEv2 algorithm negotiation.
error_t ikeVerifyAuth(IkeSaEntry *sa, IpsecPadEntry *padEntry, const IkeIdPayload *idPayload, const IkeCertPayload *certPayload, const IkeAuthPayload *authPayload)
Verify signature or MAC.
Definition: ike_auth.c:137
Authentication of the IKE SA.
error_t ikeParseCertificateChain(IkeSaEntry *sa, IpsecPadEntry *padEntry, const uint8_t *message, size_t length)
Parse certificate chain.
Definition: ike_certificate.c:445
X.509 certificate handling.
void ikeDumpMessage(const uint8_t *message, size_t length)
Dump IKE message.
Definition: ike_debug.c:379
Data logging functions for debugging purpose (IKEv2)
Diffie-Hellman groups.
void ikeChangeChildSaState(IkeChildSaEntry *childSa, IkeChildSaState newState)
Update Child SA state.
Definition: ike_fsm.c:108
void ikeChangeSaState(IkeSaEntry *sa, IkeSaState newState)
Update IKE SA state.
Definition: ike_fsm.c:53
error_t ikeProcessSaDeleteEvent(IkeSaEntry *sa)
Handle IKE SA deletion event.
Definition: ike_fsm.c:649
IKEv2 finite state machine.
error_t ikeRetransmitResponse(IkeSaEntry *sa)
Retransmit IKE response message.
Definition: ike_misc.c:98
void ikeInitDhContext(IkeSaEntry *sa)
Initialize Diffie-Hellman context.
Definition: ike_key_exchange.c:50
void ikeFreeDhContext(IkeSaEntry *sa)
Release Diffie-Hellman context.
Definition: ike_key_exchange.c:69
error_t ikeGenerateDhKeyPair(IkeSaEntry *sa)
Diffie-Hellman key pair generation.
Definition: ike_key_exchange.c:89
Diffie-Hellman key exchange.
error_t ikeGenerateChildSaKeyMaterial(IkeChildSaEntry *childSa)
Generate keying material for the Child SA.
Definition: ike_key_material.c:261
Key material generation.
error_t ikeDecryptMessage(IkeSaEntry *sa, uint8_t *message, size_t *messageLen)
Decrypt an incoming IKE message.
Definition: ike_message_decrypt.c:56
IKE message decryption.
error_t ikeSendErrorResponse(IkeContext *context, uint8_t *message, size_t length)
Send INFORMATIONAL response (outside of an IKE SA)
Definition: ike_message_format.c:650
error_t ikeSendInformationalResponse(IkeSaEntry *sa)
Send INFORMATIONAL response.
Definition: ike_message_format.c:579
error_t ikeSendIkeAuthResponse(IkeSaEntry *sa)
Send IKE_AUTH response.
Definition: ike_message_format.c:308
error_t ikeSendCreateChildSaResponse(IkeSaEntry *sa, IkeChildSaEntry *childSa)
Send CREATE_CHILD_SA response.
Definition: ike_message_format.c:464
error_t ikeSendIkeSaInitRequest(IkeSaEntry *sa)
Send IKE_SA_INIT request.
Definition: ike_message_format.c:61
error_t ikeSendInformationalRequest(IkeSaEntry *sa)
Send INFORMATIONAL request.
Definition: ike_message_format.c:510
error_t ikeSendIkeSaInitResponse(IkeSaEntry *sa)
Send IKE_SA_INIT response.
Definition: ike_message_format.c:107
error_t ikeSendIkeAuthRequest(IkeSaEntry *sa)
Send IKE_AUTH request.
Definition: ike_message_format.c:223
IKE message formatting.
error_t ikeProcessIkeAuthRequest(IkeSaEntry *sa, const uint8_t *message, size_t length)
Process incoming IKE_AUTH request.
Definition: ike_message_parse.c:938
error_t ikeProcessInformationalResponse(IkeSaEntry *sa, const uint8_t *message, size_t length)
Process incoming INFORMATIONAL response.
Definition: ike_message_parse.c:1662
error_t ikeProcessIkeAuthResponse(IkeSaEntry *sa, const uint8_t *message, size_t length)
Process incoming IKE_AUTH response.
Definition: ike_message_parse.c:1218
error_t ikeProcessRequest(IkeContext *context, uint8_t *message, size_t length)
Process incoming IKE request.
Definition: ike_message_parse.c:115
error_t ikeProcessCreateChildSaRequest(IkeSaEntry *sa, const uint8_t *message, size_t length)
Process incoming CREATE_CHILD_SA request.
Definition: ike_message_parse.c:1516
error_t ikeProcessInformationalRequest(IkeSaEntry *sa, const uint8_t *message, size_t length)
Process incoming INFORMATIONAL request.
Definition: ike_message_parse.c:1559
error_t ikeProcessCreateChildSaResponse(IkeSaEntry *sa, const uint8_t *message, size_t length)
Process incoming CREATE_CHILD_SA response.
Definition: ike_message_parse.c:1542
error_t ikeProcessMessage(IkeContext *context, uint8_t *message, size_t length)
Process incoming IKE message.
Definition: ike_message_parse.c:66
error_t ikeProcessIkeSaInitResponse(IkeSaEntry *sa, const uint8_t *message, size_t length)
Process incoming IKE_SA_INIT response.
Definition: ike_message_parse.c:703
error_t ikeProcessResponse(IkeContext *context, uint8_t *message, size_t length)
Process incoming IKE response.
Definition: ike_message_parse.c:263
error_t ikeProcessIkeSaInitRequest(IkeContext *context, const uint8_t *message, size_t length)
Process incoming IKE_SA_INIT request.
Definition: ike_message_parse.c:393
IKE message parsing.
error_t ikeSelectTs(IkeChildSaEntry *childSa, const IkeTsPayload *tsiPayload, const IkeTsPayload *tsrPayload)
Traffic selector selection.
Definition: ike_misc.c:760
IkeSaEntry * ikeFindHalfOpenSaEntry(IkeContext *context, const IkeHeader *ikeHeader, const IkeNoncePayload *noncePayload)
Find an half-open IKE SA that matches an incoming IKE_SA_INIT request.
Definition: ike_misc.c:244
void ikeDeleteChildSaEntry(IkeChildSaEntry *childSa)
Delete a Child Security Association.
Definition: ike_misc.c:501
error_t ikeGenerateChildSaSpi(IkeChildSaEntry *childSa, uint8_t *spi)
Generate a new Child SA SPI.
Definition: ike_misc.c:615
IkeChildSaEntry * ikeCreateChildSaEntry(IkeContext *context)
Create a new Child Security Association.
Definition: ike_misc.c:396
void ikeDeleteDuplicateSaEntries(IkeSaEntry *sa)
Delete an duplicate IKE Security Associations.
Definition: ike_misc.c:353
IkeSaEntry * ikeFindSaEntry(IkeContext *context, const IkeHeader *ikeHeader)
Find an IKE SA that matches an incoming IKE message.
Definition: ike_misc.c:183
error_t ikeCreateIpsecSaPair(IkeChildSaEntry *childSa)
Create AH or ESP SA pair.
Definition: ike_misc.c:1010
IkeSaEntry * ikeCreateSaEntry(IkeContext *context)
Create a new IKE Security Association.
Definition: ike_misc.c:136
error_t ikeCheckTs(IkeChildSaEntry *childSa, const IkeTsPayload *tsiPayload, const IkeTsPayload *tsrPayload)
Check whether the selected traffic selectors are acceptable.
Definition: ike_misc.c:854
error_t ikeCheckNonceLength(IkeSaEntry *sa, size_t nonceLen)
Check the length of the nonce.
Definition: ike_misc.c:934
Helper functions for IKEv2.
error_t ikeParseCookieNotification(IkeSaEntry *sa, const IkeNotifyPayload *notifyPayload)
Parse COOKIE notification.
Definition: ike_payload_parse.c:603
error_t ikeParseInvalidKeyPayloadNotification(IkeSaEntry *sa, const IkeNotifyPayload *notifyPayload)
Parse INVALID_KE_PAYLOAD notification.
Definition: ike_payload_parse.c:562
error_t ikeParseKePayload(IkeSaEntry *sa, const IkeKePayload *kePayload)
Parse Key Exchange payload.
Definition: ike_payload_parse.c:309
error_t ikeParseCertReqPayload(IkeSaEntry *sa, const IkeCertReqPayload *certReqPayload)
Parse Certificate Request payload.
Definition: ike_payload_parse.c:383
const IkeNotifyPayload * ikeGetStatusNotifyPayload(const uint8_t *message, size_t length, uint16_t type)
Search an IKE message for a given status Notify payload.
Definition: ike_payload_parse.c:953
error_t ikeParseSignHashAlgosNotification(IkeSaEntry *sa, const IkeNotifyPayload *notifyPayload)
Parse SIGNATURE_HASH_ALGORITHMS notification.
Definition: ike_payload_parse.c:637
const IkePayloadHeader * ikeGetPayload(const uint8_t *message, size_t length, uint8_t type, uint_t index)
Search an IKE message for a given payload type.
Definition: ike_payload_parse.c:799
error_t ikeParseIdPayload(IkeSaEntry *sa, const IkeIdPayload *idPayload)
Parse Identification payload.
Definition: ike_payload_parse.c:348
error_t ikeParseDeletePayload(IkeSaEntry *sa, const IkeDeletePayload *deletePayload, bool_t response)
Parse Delete payload.
Definition: ike_payload_parse.c:454
error_t ikeCheckCriticalPayloads(const uint8_t *message, size_t length, uint8_t *unsupportedCriticalPayload)
Check whether the message contains an unsupported critical payload.
Definition: ike_payload_parse.c:1035
error_t ikeParseNoncePayload(const IkeNoncePayload *noncePayload, uint8_t *nonce, size_t *nonceLen)
Parse Nonce payload.
Definition: ike_payload_parse.c:417
const IkeNotifyPayload * ikeGetErrorNotifyPayload(const uint8_t *message, size_t length)
Search an IKE message for an error Notify payload.
Definition: ike_payload_parse.c:871
error_t ikeParseSaPayload(const IkeSaPayload *saPayload)
Parse Security Association payload.
Definition: ike_payload_parse.c:58
IKE payload parsing.
IpsecPadEntry * ipsecFindPadEntry(IpsecContext *context, uint8_t idType, const uint8_t *id, size_t idLen)
Find PAD entry that matches the specified identification data.
Definition: ipsec_misc.c:243
Helper routines for IPsec.