../svn-commit.tmp
[strongswan.git] / Source / charon / sa / states / ike_auth_requested.c
1 /**
2 * @file ike_auth_requested.c
3 *
4 * @brief Implementation of ike_auth_requested_t.
5 *
6 */
7
8 /*
9 * Copyright (C) 2005 Jan Hutter, Martin Willi
10 * Hochschule fuer Technik Rapperswil
11 *
12 * This program is free software; you can redistribute it and/or modify it
13 * under the terms of the GNU General Public License as published by the
14 * Free Software Foundation; either version 2 of the License, or (at your
15 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
16 *
17 * This program is distributed in the hope that it will be useful, but
18 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
19 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
20 * for more details.
21 */
22
23 #include "ike_auth_requested.h"
24
25 #include <daemon.h>
26 #include <utils/allocator.h>
27 #include <encoding/payloads/ts_payload.h>
28 #include <encoding/payloads/sa_payload.h>
29 #include <encoding/payloads/id_payload.h>
30 #include <encoding/payloads/auth_payload.h>
31 #include <encoding/payloads/notify_payload.h>
32 #include <transforms/signers/signer.h>
33 #include <transforms/crypters/crypter.h>
34 #include <sa/states/ike_sa_established.h>
35 #include <sa/authenticator.h>
36
37 typedef struct private_ike_auth_requested_t private_ike_auth_requested_t;
38
39 /**
40 * Private data of a ike_auth_requested_t object.
41 *
42 */
43 struct private_ike_auth_requested_t {
44 /**
45 * Public interface of ike_auth_requested_t.
46 */
47 ike_auth_requested_t public;
48
49 /**
50 * Assigned IKE_SA.
51 */
52 protected_ike_sa_t *ike_sa;
53
54 /**
55 * SA config, just a copy of the one stored in the ike_sa.
56 */
57 sa_config_t *sa_config;
58
59 /**
60 * Received nonce from responder.
61 */
62 chunk_t received_nonce;
63
64 /**
65 * Sent nonce in IKE_SA_INIT request.
66 */
67 chunk_t sent_nonce;
68
69 /**
70 * IKE_SA_INIT-Request in binary form.
71 */
72 chunk_t ike_sa_init_reply_data;
73
74 /**
75 * Assigned Logger.
76 *
77 * Is logger of ike_sa!
78 */
79 logger_t *logger;
80
81 /**
82 * Process the IDr payload (check if other id is valid)
83 *
84 * @param this calling object
85 * @param idr_payload ID payload of responder
86 * @return
87 * - SUCCESS
88 * - DELETE_ME
89 */
90 status_t (*process_idr_payload) (private_ike_auth_requested_t *this, id_payload_t *idr_payload);
91
92 /**
93 * Process the SA payload (check if selected proposals are valid, setup child sa)
94 *
95 * @param this calling object
96 * @param sa_payload SA payload of responder
97 *
98 * - SUCCESS
99 * - DELETE_ME
100 */
101 status_t (*process_sa_payload) (private_ike_auth_requested_t *this, sa_payload_t *sa_payload);
102
103 /**
104 * Process the AUTH payload (check authenticity of message)
105 *
106 * @param this calling object
107 * @param auth_payload AUTH payload of responder
108 * @param other_id_payload ID payload of responder
109 *
110 * - SUCCESS
111 * - DELETE_ME
112 */
113 status_t (*process_auth_payload) (private_ike_auth_requested_t *this, auth_payload_t *auth_payload, id_payload_t *other_id_payload);
114
115 /**
116 * Process the TS payload (check if selected traffic selectors are valid)
117 *
118 * @param this calling object
119 * @param ts_initiator TRUE if TS payload is TSi, FALSE for TSr
120 * @param ts_payload TS payload of responder
121 *
122 * - SUCCESS
123 * - DELETE_ME
124 */
125 status_t (*process_ts_payload) (private_ike_auth_requested_t *this, bool ts_initiator, ts_payload_t *ts_payload);
126
127 };
128
129
130 /**
131 * Implements state_t.process_message
132 */
133 static status_t process_message(private_ike_auth_requested_t *this, message_t *ike_auth_reply)
134 {
135 ts_payload_t *tsi_payload, *tsr_payload;
136 id_payload_t *idr_payload = NULL;
137 auth_payload_t *auth_payload;
138 sa_payload_t *sa_payload;
139 iterator_t *payloads;
140 crypter_t *crypter;
141 signer_t *signer;
142 status_t status;
143
144 if (ike_auth_reply->get_exchange_type(ike_auth_reply) != IKE_AUTH)
145 {
146 this->logger->log(this->logger, ERROR | LEVEL1, "Message of type %s not supported in state ike_auth_requested",
147 mapping_find(exchange_type_m,ike_auth_reply->get_exchange_type(ike_auth_reply)));
148 return FAILED;
149 }
150
151 if (ike_auth_reply->get_request(ike_auth_reply))
152 {
153 this->logger->log(this->logger, ERROR | LEVEL1, "Only responses of type IKE_AUTH supported in state ike_auth_requested");
154 return FAILED;
155 }
156
157 /* get signer for verification and crypter for decryption */
158 signer = this->ike_sa->get_signer_responder(this->ike_sa);
159 crypter = this->ike_sa->get_crypter_responder(this->ike_sa);
160
161 /* parse incoming message */
162 status = ike_auth_reply->parse_body(ike_auth_reply, crypter, signer);
163 if (status != SUCCESS)
164 {
165 this->logger->log(this->logger, ERROR | LEVEL1, "Could not parse body of request message");
166 return status;
167 }
168
169 this->sa_config = this->ike_sa->get_sa_config(this->ike_sa);
170
171 /* iterate over incoming payloads. Message is verified, we can be sure there are the required payloads */
172 payloads = ike_auth_reply->get_payload_iterator(ike_auth_reply);
173 while (payloads->has_next(payloads))
174 {
175 payload_t *payload;
176 payloads->current(payloads, (void**)&payload);
177
178 switch (payload->get_type(payload))
179 {
180 case AUTHENTICATION:
181 {
182 auth_payload = (auth_payload_t*)payload;
183 break;
184 }
185 case ID_RESPONDER:
186 {
187 idr_payload = (id_payload_t*)payload;
188 break;
189 }
190 case SECURITY_ASSOCIATION:
191 {
192 sa_payload = (sa_payload_t*)payload;
193 break;
194 }
195 case CERTIFICATE:
196 {
197 /* TODO handle cert payloads */
198 break;
199 }
200 case TRAFFIC_SELECTOR_INITIATOR:
201 {
202 tsi_payload = (ts_payload_t*)payload;
203 break;
204 }
205 case TRAFFIC_SELECTOR_RESPONDER:
206 {
207 tsr_payload = (ts_payload_t*)payload;
208 break;
209 }
210 case NOTIFY:
211 {
212 notify_payload_t *notify_payload = (notify_payload_t *) payload;
213
214
215 this->logger->log(this->logger, CONTROL|LEVEL1, "Process notify type %s for protocol %s",
216 mapping_find(notify_message_type_m, notify_payload->get_notify_message_type(notify_payload)),
217 mapping_find(protocol_id_m, notify_payload->get_protocol_id(notify_payload)));
218
219 if (notify_payload->get_protocol_id(notify_payload) != IKE)
220 {
221 this->logger->log(this->logger, ERROR | LEVEL1, "Notify reply not for IKE protocol");
222 payloads->destroy(payloads);
223 return DELETE_ME;
224 }
225
226 switch (notify_payload->get_notify_message_type(notify_payload))
227 {
228 case INVALID_SYNTAX:
229 {
230 this->logger->log(this->logger, ERROR, "Going to destroy IKE_SA");
231 payloads->destroy(payloads);
232 return DELETE_ME;
233
234 }
235 case AUTHENTICATION_FAILED:
236 {
237 this->logger->log(this->logger, ERROR, "Keys invalid?. Going to destroy IKE_SA");
238 payloads->destroy(payloads);
239 return DELETE_ME;
240
241 }
242 case SINGLE_PAIR_REQUIRED:
243 {
244 this->logger->log(this->logger, ERROR, "Please reconfigure CHILD_SA. Going to destroy IKE_SA");
245 payloads->destroy(payloads);
246 return DELETE_ME;
247 }
248 default:
249 {
250 /*
251 * - In case of unknown error: IKE_SA gets destroyed.
252 * - In case of unknown status: logging
253 *
254 */
255 notify_message_type_t notify_message_type = notify_payload->get_notify_message_type(notify_payload);
256 if (notify_message_type < 16383)
257 {
258 this->logger->log(this->logger, ERROR, "Notify error type %d not recognized in state IKE_AUTH_REQUESTED.",
259 notify_message_type);
260 payloads->destroy(payloads);
261 return DELETE_ME;
262
263 }
264 else
265 {
266 this->logger->log(this->logger, ERROR, "Notify status type %d not handled in state IKE_AUTH_REQUESTED.",
267 notify_message_type);
268 break;
269 }
270 }
271 }
272 }
273 default:
274 {
275 this->logger->log(this->logger, ERROR, "Payload id %d not handled in state IKE_AUTH_REQUESTED", payload->get_type(payload));
276 break;
277 }
278 }
279 }
280 /* iterator can be destroyed */
281 payloads->destroy(payloads);
282
283 /* process all payloads */
284 status = this->process_idr_payload(this, idr_payload);
285 if (status != SUCCESS)
286 {
287 this->logger->log(this->logger, ERROR, "Processing idr payload failed");
288 return status;
289 }
290 status = this->process_sa_payload(this, sa_payload);
291 if (status != SUCCESS)
292 {
293 this->logger->log(this->logger, ERROR, "Processing sa payload failed");
294 return status;
295 }
296 status = this->process_auth_payload(this, auth_payload,idr_payload);
297 if (status != SUCCESS)
298 {
299 this->logger->log(this->logger, ERROR, "Processing auth payload failed");
300 return status;
301 }
302 status = this->process_ts_payload(this, TRUE, tsi_payload);
303 if (status != SUCCESS)
304 {
305 this->logger->log(this->logger, ERROR, "Processing tsi payload failed");
306 return status;
307 }
308 status = this->process_ts_payload(this, FALSE, tsr_payload);
309 if (status != SUCCESS)
310 {
311 this->logger->log(this->logger, ERROR, "Processing tsr payload failed");
312 return status;
313 }
314
315 this->ike_sa->set_last_replied_message_id(this->ike_sa,ike_auth_reply->get_message_id(ike_auth_reply));
316 this->logger->log(this->logger, CONTROL | LEVEL1, "IKE_AUTH response successfully handled. IKE_SA established.");
317
318 /* create new state */
319 this->ike_sa->set_new_state(this->ike_sa, (state_t*)ike_sa_established_create(this->ike_sa));
320 this->ike_sa->create_delete_established_ike_sa_job(this->ike_sa,this->sa_config->get_ike_sa_lifetime(this->sa_config));
321
322 this->public.state_interface.destroy(&(this->public.state_interface));
323 return SUCCESS;
324 }
325
326 /**
327 * Implements private_ike_auth_requested_t.process_idr_payload
328 */
329 static status_t process_idr_payload(private_ike_auth_requested_t *this, id_payload_t *idr_payload)
330 {
331 identification_t *other_id, *configured_other_id;
332
333 other_id = idr_payload->get_identification(idr_payload);
334
335 configured_other_id = this->sa_config->get_other_id(this->sa_config);
336 if (configured_other_id)
337 {
338 this->logger->log(this->logger, CONTROL, "configured ID: %s, ID of responder: %s",
339 configured_other_id->get_string(configured_other_id),
340 other_id->get_string(other_id));
341
342 if (!other_id->equals(other_id, configured_other_id))
343 {
344 other_id->destroy(other_id);
345 this->logger->log(this->logger, ERROR, "IKE_AUTH reply didn't contain requested id");
346 return DELETE_ME;
347 }
348 }
349
350 other_id->destroy(other_id);
351 /* TODO do we have to store other_id somewhere ? */
352 return SUCCESS;
353 }
354
355 /**
356 * Implements private_ike_auth_requested_t.process_sa_payload
357 */
358 static status_t process_sa_payload(private_ike_auth_requested_t *this, sa_payload_t *sa_payload)
359 {
360 child_proposal_t *proposals, *proposal_chosen;
361 size_t proposal_count;
362 status_t status;
363
364 /* dummy spis, until we have a child sa to request them */
365 u_int8_t ah_spi[4] = {0x01, 0x02, 0x03, 0x04};
366 u_int8_t esp_spi[4] = {0x05, 0x06, 0x07, 0x08};
367
368 /* check selected proposal */
369 status = sa_payload->get_child_proposals(sa_payload, &proposals, &proposal_count);
370 if (status != SUCCESS)
371 {
372 this->logger->log(this->logger, ERROR, "responders sa payload contained no proposals");
373 return DELETE_ME;
374 }
375 if (proposal_count > 1)
376 {
377 allocator_free(proposals);
378 this->logger->log(this->logger, ERROR, "responders sa payload contained more than one proposal");
379 return DELETE_ME;
380 }
381
382 proposal_chosen = this->sa_config->select_proposal(this->sa_config, ah_spi, esp_spi, proposals, proposal_count);
383 if (proposal_chosen == NULL)
384 {
385 this->logger->log(this->logger, ERROR, "responder selected an not offered proposal");
386 allocator_free(proposals);
387 return DELETE_ME;
388 }
389 else
390 {
391 allocator_free(proposal_chosen);
392 }
393
394 allocator_free(proposals);
395
396 return SUCCESS;
397 }
398
399 /**
400 * Implements private_ike_auth_requested_t.process_auth_payload
401 */
402 static status_t process_auth_payload(private_ike_auth_requested_t *this, auth_payload_t *auth_payload, id_payload_t *other_id_payload)
403 {
404 authenticator_t *authenticator;
405 status_t status;
406
407 /* TODO VERIFY auth here */
408 authenticator = authenticator_create(this->ike_sa);
409
410 status = authenticator->verify_auth_data(authenticator,auth_payload,this->ike_sa_init_reply_data,this->sent_nonce,other_id_payload,FALSE);
411 authenticator->destroy(authenticator);
412 if (status != SUCCESS)
413 {
414 this->logger->log(this->logger, ERROR, "Could not verify AUTH data. Error status: %s",mapping_find(status_m,status));
415 return DELETE_ME;
416 }
417
418 this->logger->log(this->logger, CONTROL | LEVEL1, "AUTH data verified");
419 return SUCCESS;
420 }
421
422 /**
423 * Implements private_ike_auth_requested_t.process_ts_payload
424 */
425 static status_t process_ts_payload(private_ike_auth_requested_t *this, bool ts_initiator, ts_payload_t *ts_payload)
426 {
427 traffic_selector_t **ts_received, **ts_selected;
428 size_t ts_received_count, ts_selected_count;
429 status_t status = SUCCESS;
430
431 /* get ts form payload */
432 ts_received_count = ts_payload->get_traffic_selectors(ts_payload, &ts_received);
433 /* select ts depending on payload type */
434 if (ts_initiator)
435 {
436 ts_selected_count = this->sa_config->select_traffic_selectors_initiator(this->sa_config, ts_received, ts_received_count, &ts_selected);
437 }
438 else
439 {
440 ts_selected_count = this->sa_config->select_traffic_selectors_responder(this->sa_config, ts_received, ts_received_count, &ts_selected);
441 }
442 /* check if the responder selected valid proposals */
443 if (ts_selected_count != ts_received_count)
444 {
445 this->logger->log(this->logger, ERROR, "responder selected invalid traffic selectors");
446 status = DELETE_ME;
447 }
448
449 /* cleanup */
450 while(ts_received_count--)
451 {
452 traffic_selector_t *ts = *ts_received + ts_received_count;
453 ts->destroy(ts);
454 }
455 allocator_free(ts_received);
456 while(ts_selected_count--)
457 {
458 traffic_selector_t *ts = *ts_selected + ts_selected_count;
459 ts->destroy(ts);
460 }
461 allocator_free(ts_selected);
462 return status;
463 }
464 /**
465 * Implements state_t.get_state
466 */
467 static ike_sa_state_t get_state(private_ike_auth_requested_t *this)
468 {
469 return IKE_AUTH_REQUESTED;
470 }
471
472 /**
473 * Implements state_t.get_state
474 */
475 static void destroy(private_ike_auth_requested_t *this)
476 {
477 allocator_free_chunk(&(this->received_nonce));
478 allocator_free_chunk(&(this->sent_nonce));
479 allocator_free_chunk(&(this->ike_sa_init_reply_data));
480 allocator_free(this);
481 }
482
483 /*
484 * Described in header.
485 */
486 ike_auth_requested_t *ike_auth_requested_create(protected_ike_sa_t *ike_sa,chunk_t sent_nonce,chunk_t received_nonce,chunk_t ike_sa_init_reply_data)
487 {
488 private_ike_auth_requested_t *this = allocator_alloc_thing(private_ike_auth_requested_t);
489
490 /* interface functions */
491 this->public.state_interface.process_message = (status_t (*) (state_t *,message_t *)) process_message;
492 this->public.state_interface.get_state = (ike_sa_state_t (*) (state_t *)) get_state;
493 this->public.state_interface.destroy = (void (*) (state_t *)) destroy;
494
495 /* private functions */
496
497 this->process_idr_payload = process_idr_payload;
498 this->process_sa_payload = process_sa_payload;
499 this->process_auth_payload = process_auth_payload;
500 this->process_ts_payload = process_ts_payload;
501
502 /* private data */
503 this->ike_sa = ike_sa;
504 this->received_nonce = received_nonce;
505 this->sent_nonce = sent_nonce;
506 this->ike_sa_init_reply_data = ike_sa_init_reply_data;
507 this->logger = this->ike_sa->get_logger(this->ike_sa);
508
509 return &(this->public);
510 }