- fixed memleaks
[strongswan.git] / Source / charon / sa / states / ike_auth_requested.c
1 /**
2 * @file ike_auth_requested.c
3 *
4 * @brief Implementation of ike_auth_requested_t.
5 *
6 */
7
8 /*
9 * Copyright (C) 2005 Jan Hutter, Martin Willi
10 * Hochschule fuer Technik Rapperswil
11 *
12 * This program is free software; you can redistribute it and/or modify it
13 * under the terms of the GNU General Public License as published by the
14 * Free Software Foundation; either version 2 of the License, or (at your
15 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
16 *
17 * This program is distributed in the hope that it will be useful, but
18 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
19 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
20 * for more details.
21 */
22
23 #include "ike_auth_requested.h"
24
25 #include <daemon.h>
26 #include <utils/allocator.h>
27 #include <encoding/payloads/ts_payload.h>
28 #include <encoding/payloads/sa_payload.h>
29 #include <encoding/payloads/id_payload.h>
30 #include <encoding/payloads/auth_payload.h>
31 #include <encoding/payloads/notify_payload.h>
32 #include <transforms/signers/signer.h>
33 #include <transforms/crypters/crypter.h>
34 #include <sa/states/ike_sa_established.h>
35 #include <sa/authenticator.h>
36
37 typedef struct private_ike_auth_requested_t private_ike_auth_requested_t;
38
39 /**
40 * Private data of a ike_auth_requested_t object.
41 *
42 */
43 struct private_ike_auth_requested_t {
44 /**
45 * Public interface of ike_auth_requested_t.
46 */
47 ike_auth_requested_t public;
48
49 /**
50 * Assigned IKE_SA.
51 */
52 protected_ike_sa_t *ike_sa;
53
54 /**
55 * SA config, just a copy of the one stored in the ike_sa.
56 */
57 sa_config_t *sa_config;
58
59 /**
60 * Received nonce from responder.
61 */
62 chunk_t received_nonce;
63
64 /**
65 * Sent nonce in IKE_SA_INIT request.
66 */
67 chunk_t sent_nonce;
68
69 /**
70 * IKE_SA_INIT-Request in binary form.
71 */
72 chunk_t ike_sa_init_reply_data;
73
74 /**
75 * Assigned Logger.
76 *
77 * Is logger of ike_sa!
78 */
79 logger_t *logger;
80
81 /**
82 * Process the IDr payload (check if other id is valid)
83 *
84 * @param this calling object
85 * @param idr_payload ID payload of responder
86 * @return
87 * - SUCCESS
88 * - DELETE_ME
89 */
90 status_t (*process_idr_payload) (private_ike_auth_requested_t *this, id_payload_t *idr_payload);
91
92 /**
93 * Process the SA payload (check if selected proposals are valid, setup child sa)
94 *
95 * @param this calling object
96 * @param sa_payload SA payload of responder
97 *
98 * - SUCCESS
99 * - DELETE_ME
100 */
101 status_t (*process_sa_payload) (private_ike_auth_requested_t *this, sa_payload_t *sa_payload);
102
103 /**
104 * Process the AUTH payload (check authenticity of message)
105 *
106 * @param this calling object
107 * @param auth_payload AUTH payload of responder
108 * @param other_id_payload ID payload of responder
109 *
110 * - SUCCESS
111 * - DELETE_ME
112 */
113 status_t (*process_auth_payload) (private_ike_auth_requested_t *this, auth_payload_t *auth_payload, id_payload_t *other_id_payload);
114
115 /**
116 * Process the TS payload (check if selected traffic selectors are valid)
117 *
118 * @param this calling object
119 * @param ts_initiator TRUE if TS payload is TSi, FALSE for TSr
120 * @param ts_payload TS payload of responder
121 *
122 * - SUCCESS
123 * - DELETE_ME
124 */
125 status_t (*process_ts_payload) (private_ike_auth_requested_t *this, bool ts_initiator, ts_payload_t *ts_payload);
126
127 /**
128 * Process a notify payload
129 *
130 * @param this calling object
131 * @param notify_payload notify payload
132 *
133 * - SUCCESS
134 * - FAILED
135 * - DELETE_ME
136 */
137 status_t (*process_notify_payload) (private_ike_auth_requested_t *this, notify_payload_t *notify_payload);
138 };
139
140
141 /**
142 * Implements state_t.process_message
143 */
144 static status_t process_message(private_ike_auth_requested_t *this, message_t *ike_auth_reply)
145 {
146 ts_payload_t *tsi_payload = NULL, *tsr_payload = NULL;
147 id_payload_t *idr_payload = NULL;
148 auth_payload_t *auth_payload = NULL;
149 sa_payload_t *sa_payload = NULL;
150 iterator_t *payloads = NULL;
151 crypter_t *crypter = NULL;
152 signer_t *signer = NULL;
153 status_t status;
154 host_t *my_host, *other_host;
155
156 if (ike_auth_reply->get_exchange_type(ike_auth_reply) != IKE_AUTH)
157 {
158 this->logger->log(this->logger, ERROR | LEVEL1, "Message of type %s not supported in state ike_auth_requested",
159 mapping_find(exchange_type_m,ike_auth_reply->get_exchange_type(ike_auth_reply)));
160 return FAILED;
161 }
162
163 if (ike_auth_reply->get_request(ike_auth_reply))
164 {
165 this->logger->log(this->logger, ERROR | LEVEL1, "IKE_AUTH requests not allowed state ike_sa_init_responded");
166 return FAILED;
167 }
168
169 /* get signer for verification and crypter for decryption */
170 signer = this->ike_sa->get_signer_responder(this->ike_sa);
171 crypter = this->ike_sa->get_crypter_responder(this->ike_sa);
172
173 /* parse incoming message */
174 status = ike_auth_reply->parse_body(ike_auth_reply, crypter, signer);
175 if (status != SUCCESS)
176 {
177 this->logger->log(this->logger, AUDIT, "IKE_AUTH reply decryption failed. Ignoring message");
178 return status;
179 }
180
181 this->sa_config = this->ike_sa->get_sa_config(this->ike_sa);
182
183 /* we collect all payloads, which are processed later. Notify's are processed
184 * in place, since we don't know how may are there.
185 */
186 payloads = ike_auth_reply->get_payload_iterator(ike_auth_reply);
187 while (payloads->has_next(payloads))
188 {
189 payload_t *payload;
190 payloads->current(payloads, (void**)&payload);
191
192 switch (payload->get_type(payload))
193 {
194 case AUTHENTICATION:
195 {
196 auth_payload = (auth_payload_t*)payload;
197 break;
198 }
199 case ID_RESPONDER:
200 {
201 idr_payload = (id_payload_t*)payload;
202 break;
203 }
204 case SECURITY_ASSOCIATION:
205 {
206 sa_payload = (sa_payload_t*)payload;
207 break;
208 }
209 case TRAFFIC_SELECTOR_INITIATOR:
210 {
211 tsi_payload = (ts_payload_t*)payload;
212 break;
213 }
214 case TRAFFIC_SELECTOR_RESPONDER:
215 {
216 tsr_payload = (ts_payload_t*)payload;
217 break;
218 }
219 case NOTIFY:
220 {
221 notify_payload_t *notify_payload = (notify_payload_t *) payload;
222 /* handle the notify directly, abort if no further processing required */
223 status = this->process_notify_payload(this, notify_payload);
224 if (status != SUCCESS)
225 {
226 payloads->destroy(payloads);
227 return status;
228 }
229 }
230 case CERTIFICATE:
231 {
232 /* TODO handle cert payloads */
233 }
234 default:
235 {
236 this->logger->log(this->logger, ERROR|LEVEL1, "Ignoring Payload %s (%d)",
237 mapping_find(payload_type_m, payload->get_type(payload)), payload->get_type(payload));
238 break;
239 }
240 }
241 }
242 /* iterator can be destroyed */
243 payloads->destroy(payloads);
244
245 /* check if we have all payloads */
246 if (!(idr_payload && sa_payload && auth_payload && tsi_payload && tsr_payload))
247 {
248 this->logger->log(this->logger, AUDIT, "IKE_AUTH reply did not contain all required payloads. Deleting IKE_SA");
249 return DELETE_ME;
250 }
251
252 /* process all payloads */
253 status = this->process_idr_payload(this, idr_payload);
254 if (status != SUCCESS)
255 {
256 return status;
257 }
258 status = this->process_sa_payload(this, sa_payload);
259 if (status != SUCCESS)
260 {
261 return status;
262 }
263 status = this->process_auth_payload(this, auth_payload,idr_payload);
264 if (status != SUCCESS)
265 {
266 return status;
267 }
268 status = this->process_ts_payload(this, TRUE, tsi_payload);
269 if (status != SUCCESS)
270 {
271 return status;
272 }
273 status = this->process_ts_payload(this, FALSE, tsr_payload);
274 if (status != SUCCESS)
275 {
276 return status;
277 }
278
279 this->ike_sa->set_last_replied_message_id(this->ike_sa,ike_auth_reply->get_message_id(ike_auth_reply));
280 /* create new state */
281
282 my_host = this->ike_sa->get_my_host(this->ike_sa);
283 other_host = this->ike_sa->get_other_host(this->ike_sa);
284 this->logger->log(this->logger, AUDIT, "IKE_SA established between %s - %s, authenticated peer with %s",
285 my_host->get_address(my_host), other_host->get_address(other_host),
286 mapping_find(auth_method_m, auth_payload->get_auth_method(auth_payload)));
287
288 this->ike_sa->create_delete_established_ike_sa_job(this->ike_sa,this->sa_config->get_ike_sa_lifetime(this->sa_config));
289 this->ike_sa->set_new_state(this->ike_sa, (state_t*)ike_sa_established_create(this->ike_sa));
290 this->public.state_interface.destroy(&(this->public.state_interface));
291 return SUCCESS;
292 }
293
294 /**
295 * Implements private_ike_auth_requested_t.process_idr_payload
296 */
297 static status_t process_idr_payload(private_ike_auth_requested_t *this, id_payload_t *idr_payload)
298 {
299 identification_t *other_id, *configured_other_id;
300
301 other_id = idr_payload->get_identification(idr_payload);
302
303 configured_other_id = this->sa_config->get_other_id(this->sa_config);
304 if (configured_other_id)
305 {
306 this->logger->log(this->logger, CONTROL|LEVEL1, "configured ID: %s, ID of responder: %s",
307 configured_other_id->get_string(configured_other_id),
308 other_id->get_string(other_id));
309
310 if (!other_id->equals(other_id, configured_other_id))
311 {
312 other_id->destroy(other_id);
313 this->logger->log(this->logger, AUDIT, "IKE_AUTH reply contained a not requested ID. Deleting IKE_SA");
314 return DELETE_ME;
315 }
316 }
317
318 other_id->destroy(other_id);
319 /* TODO do we have to store other_id somewhere ? */
320 return SUCCESS;
321 }
322
323 /**
324 * Implements private_ike_auth_requested_t.process_sa_payload
325 */
326 static status_t process_sa_payload(private_ike_auth_requested_t *this, sa_payload_t *sa_payload)
327 {
328 child_proposal_t *proposal, *proposal_tmp;
329 linked_list_t *proposal_list;
330 protocol_id_t proto;
331
332 /* get his selected proposal */
333 proposal_list = sa_payload->get_child_proposals(sa_payload);
334 /* check count of proposals */
335 if (proposal_list->get_count(proposal_list) == 0)
336 {
337 /* no proposal? we accept this, but no child sa is built */
338 this->logger->log(this->logger, AUDIT, "IKE_AUTH reply's SA_PAYLOAD didn't contain any proposals. No CHILD_SA created",
339 proposal_list->get_count(proposal_list));
340 proposal_list->destroy(proposal_list);
341 return SUCCESS;
342 }
343 if (proposal_list->get_count(proposal_list) > 1)
344 {
345 this->logger->log(this->logger, AUDIT, "IKE_AUTH reply's SA_PAYLOAD contained %d proposal. Deleting IKE_SA",
346 proposal_list->get_count(proposal_list));
347 while (proposal_list->remove_last(proposal_list, (void**)&proposal) == SUCCESS)
348 {
349 proposal->destroy(proposal);
350 }
351 proposal_list->destroy(proposal_list);
352 return DELETE_ME;
353 }
354
355 /* we have to re-check here if other's selection is valid */
356 proposal = this->sa_config->select_proposal(this->sa_config, proposal_list);
357 /* list not needed anymore */
358 while (proposal_list->remove_last(proposal_list, (void**)&proposal_tmp) == SUCCESS)
359 {
360 proposal_tmp->destroy(proposal_tmp);
361 }
362 proposal_list->destroy(proposal_list);
363 /* got a match? */
364 if (proposal == NULL)
365 {
366 this->logger->log(this->logger, AUDIT, "IKE_AUTH reply contained a not offered proposal. Deleting IKE_SA");
367 return DELETE_ME;
368 }
369 this->logger->log(this->logger, CONTROL|LEVEL1, "selected proposals:");
370 for (proto = AH; proto <= ESP; proto++)
371 {
372 transform_type_t types[] = {ENCRYPTION_ALGORITHM, INTEGRITY_ALGORITHM, DIFFIE_HELLMAN_GROUP, EXTENDED_SEQUENCE_NUMBERS};
373 mapping_t *mappings[] = {encryption_algorithm_m, integrity_algorithm_m, diffie_hellman_group_m, extended_sequence_numbers_m};
374 algorithm_t *algo;
375 int i;
376 for (i = 0; i<sizeof(types)/sizeof(transform_type_t); i++)
377 {
378 if (proposal->get_algorithm(proposal, proto, types[i], &algo))
379 {
380 this->logger->log(this->logger, CONTROL|LEVEL1, "%s: using %s %s (keysize: %d)",
381 mapping_find(protocol_id_m, proto),
382 mapping_find(transform_type_m, types[i]),
383 mapping_find(mappings[i], algo->algorithm),
384 algo->key_size);
385 }
386 }
387 }
388
389 /* TODO: Proposal? child_sa */
390 proposal->destroy(proposal);
391
392 return SUCCESS;
393 }
394
395 /**
396 * Implements private_ike_auth_requested_t.process_auth_payload
397 */
398 static status_t process_auth_payload(private_ike_auth_requested_t *this, auth_payload_t *auth_payload, id_payload_t *other_id_payload)
399 {
400 authenticator_t *authenticator;
401 status_t status;
402
403 authenticator = authenticator_create(this->ike_sa);
404 status = authenticator->verify_auth_data(authenticator,auth_payload,this->ike_sa_init_reply_data,this->sent_nonce,other_id_payload,FALSE);
405 authenticator->destroy(authenticator);
406 if (status != SUCCESS)
407 {
408 this->logger->log(this->logger, AUDIT, "Verification of IKE_AUTH reply failed. Deleting IKE_SA");
409 return DELETE_ME;
410 }
411
412 this->logger->log(this->logger, CONTROL|LEVEL1, "AUTH data verified successfully");
413 return SUCCESS;
414 }
415
416 /**
417 * Implements private_ike_auth_requested_t.process_ts_payload
418 */
419 static status_t process_ts_payload(private_ike_auth_requested_t *this, bool ts_initiator, ts_payload_t *ts_payload)
420 {
421 traffic_selector_t **ts_received, **ts_selected;
422 size_t ts_received_count, ts_selected_count;
423 status_t status = SUCCESS;
424
425 /* get ts form payload */
426 ts_received_count = ts_payload->get_traffic_selectors(ts_payload, &ts_received);
427 /* select ts depending on payload type */
428 if (ts_initiator)
429 {
430 ts_selected_count = this->sa_config->select_traffic_selectors_initiator(this->sa_config, ts_received, ts_received_count, &ts_selected);
431 }
432 else
433 {
434 ts_selected_count = this->sa_config->select_traffic_selectors_responder(this->sa_config, ts_received, ts_received_count, &ts_selected);
435 }
436 /* check if the responder selected valid proposals */
437 if (ts_selected_count != ts_received_count)
438 {
439 this->logger->log(this->logger, AUDIT, "IKE_AUTH reply contained not offered traffic selectors.");
440 }
441
442 /* cleanup */
443 while(ts_received_count--)
444 {
445 traffic_selector_t *ts = *ts_received + ts_received_count;
446 ts->destroy(ts);
447 }
448 allocator_free(ts_received);
449 while(ts_selected_count--)
450 {
451 traffic_selector_t *ts = *ts_selected + ts_selected_count;
452 ts->destroy(ts);
453 }
454 allocator_free(ts_selected);
455 return status;
456 }
457
458 /**
459 * Implements private_ike_auth_requested_t.process_notify_payload
460 */
461 static status_t process_notify_payload(private_ike_auth_requested_t *this, notify_payload_t *notify_payload)
462 {
463 notify_message_type_t notify_message_type = notify_payload->get_notify_message_type(notify_payload);
464
465 this->logger->log(this->logger, CONTROL|LEVEL1, "Process notify type %s for protocol %s",
466 mapping_find(notify_message_type_m, notify_message_type),
467 mapping_find(protocol_id_m, notify_payload->get_protocol_id(notify_payload)));
468
469 if (notify_payload->get_protocol_id(notify_payload) != IKE)
470 {
471 this->logger->log(this->logger, AUDIT, "IKE_AUTH reply contained a notify for an invalid protocol. Deleting IKE_SA");
472 return DELETE_ME;
473 }
474
475 switch (notify_message_type)
476 {
477 case INVALID_SYNTAX:
478 {
479 this->logger->log(this->logger, AUDIT, "IKE_AUTH reply contained an INVALID_SYNTAX notify. Deleting IKE_SA");
480 return DELETE_ME;
481
482 }
483 case AUTHENTICATION_FAILED:
484 {
485 this->logger->log(this->logger, AUDIT, "IKE_AUTH reply contained an AUTHENTICATION_FAILED notify. Deleting IKE_SA");
486 return DELETE_ME;
487
488 }
489 case SINGLE_PAIR_REQUIRED:
490 {
491 this->logger->log(this->logger, AUDIT, "IKE_AUTH reply contained a SINGLE_PAIR_REQUIRED notify. Deleting IKE_SA");
492 return DELETE_ME;
493 }
494 default:
495 {
496 /*
497 * - In case of unknown error: IKE_SA gets destroyed.
498 * - In case of unknown status: logging
499 */
500
501 if (notify_message_type < 16383)
502 {
503 this->logger->log(this->logger, AUDIT, "IKE_AUTH reply contained an unknown notify error (%d). Deleting IKE_SA",
504 notify_message_type);
505 return DELETE_ME;
506
507 }
508 else
509 {
510 this->logger->log(this->logger, CONTROL, "IKE_AUTH reply contained an unknown notify (%d), ignored.",
511 notify_message_type);
512 return SUCCESS;
513 }
514 }
515 }
516 }
517
518 /**
519 * Implements state_t.get_state
520 */
521 static ike_sa_state_t get_state(private_ike_auth_requested_t *this)
522 {
523 return IKE_AUTH_REQUESTED;
524 }
525
526 /**
527 * Implements state_t.get_state
528 */
529 static void destroy(private_ike_auth_requested_t *this)
530 {
531 allocator_free_chunk(&(this->received_nonce));
532 allocator_free_chunk(&(this->sent_nonce));
533 allocator_free_chunk(&(this->ike_sa_init_reply_data));
534 allocator_free(this);
535 }
536
537 /*
538 * Described in header.
539 */
540 ike_auth_requested_t *ike_auth_requested_create(protected_ike_sa_t *ike_sa,chunk_t sent_nonce,chunk_t received_nonce,chunk_t ike_sa_init_reply_data)
541 {
542 private_ike_auth_requested_t *this = allocator_alloc_thing(private_ike_auth_requested_t);
543
544 /* interface functions */
545 this->public.state_interface.process_message = (status_t (*) (state_t *,message_t *)) process_message;
546 this->public.state_interface.get_state = (ike_sa_state_t (*) (state_t *)) get_state;
547 this->public.state_interface.destroy = (void (*) (state_t *)) destroy;
548
549 /* private functions */
550
551 this->process_idr_payload = process_idr_payload;
552 this->process_sa_payload = process_sa_payload;
553 this->process_auth_payload = process_auth_payload;
554 this->process_ts_payload = process_ts_payload;
555 this->process_notify_payload = process_notify_payload;
556
557 /* private data */
558 this->ike_sa = ike_sa;
559 this->received_nonce = received_nonce;
560 this->sent_nonce = sent_nonce;
561 this->ike_sa_init_reply_data = ike_sa_init_reply_data;
562 this->logger = this->ike_sa->get_logger(this->ike_sa);
563
564 return &(this->public);
565 }