- working policy installation and removal
[strongswan.git] / Source / charon / sa / states / ike_auth_requested.c
1 /**
2 * @file ike_auth_requested.c
3 *
4 * @brief Implementation of ike_auth_requested_t.
5 *
6 */
7
8 /*
9 * Copyright (C) 2005 Jan Hutter, Martin Willi
10 * Hochschule fuer Technik Rapperswil
11 *
12 * This program is free software; you can redistribute it and/or modify it
13 * under the terms of the GNU General Public License as published by the
14 * Free Software Foundation; either version 2 of the License, or (at your
15 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
16 *
17 * This program is distributed in the hope that it will be useful, but
18 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
19 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
20 * for more details.
21 */
22
23 #include "ike_auth_requested.h"
24
25 #include <daemon.h>
26 #include <utils/allocator.h>
27 #include <encoding/payloads/ts_payload.h>
28 #include <encoding/payloads/sa_payload.h>
29 #include <encoding/payloads/id_payload.h>
30 #include <encoding/payloads/auth_payload.h>
31 #include <encoding/payloads/notify_payload.h>
32 #include <transforms/signers/signer.h>
33 #include <transforms/crypters/crypter.h>
34 #include <sa/states/ike_sa_established.h>
35 #include <sa/authenticator.h>
36 #include <sa/child_sa.h>
37
38 typedef struct private_ike_auth_requested_t private_ike_auth_requested_t;
39
40 /**
41 * Private data of a ike_auth_requested_t object.
42 *
43 */
44 struct private_ike_auth_requested_t {
45 /**
46 * Public interface of ike_auth_requested_t.
47 */
48 ike_auth_requested_t public;
49
50 /**
51 * Assigned IKE_SA.
52 */
53 protected_ike_sa_t *ike_sa;
54
55 /**
56 * SA config, just a copy of the one stored in the ike_sa.
57 */
58 sa_config_t *sa_config;
59
60 /**
61 * Received nonce from responder.
62 */
63 chunk_t received_nonce;
64
65 /**
66 * Sent nonce in IKE_SA_INIT request.
67 */
68 chunk_t sent_nonce;
69
70 /**
71 * IKE_SA_INIT-Request in binary form.
72 */
73 chunk_t ike_sa_init_reply_data;
74
75 /**
76 * Proposal to setup CHILD_SA
77 */
78 proposal_t *proposal;
79
80 /**
81 * Traffic selectors applicable at our site
82 */
83 linked_list_t *my_ts;
84
85 /**
86 * Traffic selectors applicable at remote site
87 */
88 linked_list_t *other_ts;
89
90 /**
91 * Child sa created in ike_sa_init_requested
92 */
93 child_sa_t *child_sa;
94
95 /**
96 * Assigned Logger.
97 *
98 * Is logger of ike_sa!
99 */
100 logger_t *logger;
101
102 /**
103 * Process the IDr payload (check if other id is valid)
104 *
105 * @param this calling object
106 * @param idr_payload ID payload of responder
107 * @return
108 * - SUCCESS
109 * - DELETE_ME
110 */
111 status_t (*process_idr_payload) (private_ike_auth_requested_t *this, id_payload_t *idr_payload);
112
113 /**
114 * Process the SA payload (check if selected proposals are valid, setup child sa)
115 *
116 * @param this calling object
117 * @param sa_payload SA payload of responder
118 *
119 * - SUCCESS
120 * - DELETE_ME
121 */
122 status_t (*process_sa_payload) (private_ike_auth_requested_t *this, sa_payload_t *sa_payload);
123
124 /**
125 * Process the AUTH payload (check authenticity of message)
126 *
127 * @param this calling object
128 * @param auth_payload AUTH payload of responder
129 * @param other_id_payload ID payload of responder
130 *
131 * - SUCCESS
132 * - DELETE_ME
133 */
134 status_t (*process_auth_payload) (private_ike_auth_requested_t *this, auth_payload_t *auth_payload, id_payload_t *other_id_payload);
135
136 /**
137 * Process the TS payload (check if selected traffic selectors are valid)
138 *
139 * @param this calling object
140 * @param ts_initiator TRUE if TS payload is TSi, FALSE for TSr
141 * @param ts_payload TS payload of responder
142 *
143 * - SUCCESS
144 * - DELETE_ME
145 */
146 status_t (*process_ts_payload) (private_ike_auth_requested_t *this, bool ts_initiator, ts_payload_t *ts_payload);
147
148 /**
149 * Process a notify payload
150 *
151 * @param this calling object
152 * @param notify_payload notify payload
153 *
154 * - SUCCESS
155 * - FAILED
156 * - DELETE_ME
157 */
158 status_t (*process_notify_payload) (private_ike_auth_requested_t *this, notify_payload_t *notify_payload);
159
160 /**
161 * Destroy function called internally of this class after state change to
162 * state IKE_SA_ESTABLISHED succeeded.
163 *
164 * This destroy function does not destroy objects which were passed to the new state.
165 *
166 * @param this calling object
167 */
168 void (*destroy_after_state_change) (private_ike_auth_requested_t *this);
169 };
170
171
172 /**
173 * Implements state_t.process_message
174 */
175 static status_t process_message(private_ike_auth_requested_t *this, message_t *ike_auth_reply)
176 {
177 ts_payload_t *tsi_payload = NULL, *tsr_payload = NULL;
178 id_payload_t *idr_payload = NULL;
179 auth_payload_t *auth_payload = NULL;
180 sa_payload_t *sa_payload = NULL;
181 iterator_t *payloads = NULL;
182 crypter_t *crypter = NULL;
183 signer_t *signer = NULL;
184 status_t status;
185 host_t *my_host, *other_host;
186 chunk_t seed;
187 prf_plus_t *prf_plus;
188
189 if (ike_auth_reply->get_exchange_type(ike_auth_reply) != IKE_AUTH)
190 {
191 this->logger->log(this->logger, ERROR | LEVEL1, "Message of type %s not supported in state ike_auth_requested",
192 mapping_find(exchange_type_m,ike_auth_reply->get_exchange_type(ike_auth_reply)));
193 return FAILED;
194 }
195
196 if (ike_auth_reply->get_request(ike_auth_reply))
197 {
198 this->logger->log(this->logger, ERROR | LEVEL1, "IKE_AUTH requests not allowed state ike_sa_init_responded");
199 return FAILED;
200 }
201
202 /* get signer for verification and crypter for decryption */
203 signer = this->ike_sa->get_signer_responder(this->ike_sa);
204 crypter = this->ike_sa->get_crypter_responder(this->ike_sa);
205
206 /* parse incoming message */
207 status = ike_auth_reply->parse_body(ike_auth_reply, crypter, signer);
208 if (status != SUCCESS)
209 {
210 this->logger->log(this->logger, AUDIT, "IKE_AUTH reply decryption failed. Ignoring message");
211 return status;
212 }
213
214 this->sa_config = this->ike_sa->get_sa_config(this->ike_sa);
215
216 /* we collect all payloads, which are processed later. Notify's are processed
217 * in place, since we don't know how may are there.
218 */
219 payloads = ike_auth_reply->get_payload_iterator(ike_auth_reply);
220 while (payloads->has_next(payloads))
221 {
222 payload_t *payload;
223 payloads->current(payloads, (void**)&payload);
224
225 switch (payload->get_type(payload))
226 {
227 case AUTHENTICATION:
228 {
229 auth_payload = (auth_payload_t*)payload;
230 break;
231 }
232 case ID_RESPONDER:
233 {
234 idr_payload = (id_payload_t*)payload;
235 break;
236 }
237 case SECURITY_ASSOCIATION:
238 {
239 sa_payload = (sa_payload_t*)payload;
240 break;
241 }
242 case TRAFFIC_SELECTOR_INITIATOR:
243 {
244 tsi_payload = (ts_payload_t*)payload;
245 break;
246 }
247 case TRAFFIC_SELECTOR_RESPONDER:
248 {
249 tsr_payload = (ts_payload_t*)payload;
250 break;
251 }
252 case NOTIFY:
253 {
254 notify_payload_t *notify_payload = (notify_payload_t *) payload;
255 /* handle the notify directly, abort if no further processing required */
256 status = this->process_notify_payload(this, notify_payload);
257 if (status != SUCCESS)
258 {
259 payloads->destroy(payloads);
260 return status;
261 }
262 }
263 case CERTIFICATE:
264 {
265 /* TODO handle cert payloads */
266 }
267 default:
268 {
269 this->logger->log(this->logger, ERROR|LEVEL1, "Ignoring Payload %s (%d)",
270 mapping_find(payload_type_m, payload->get_type(payload)), payload->get_type(payload));
271 break;
272 }
273 }
274 }
275 /* iterator can be destroyed */
276 payloads->destroy(payloads);
277
278 /* check if we have all payloads */
279 if (!(idr_payload && sa_payload && auth_payload && tsi_payload && tsr_payload))
280 {
281 this->logger->log(this->logger, AUDIT, "IKE_AUTH reply did not contain all required payloads. Deleting IKE_SA");
282 return DELETE_ME;
283 }
284
285 /* process all payloads */
286 status = this->process_idr_payload(this, idr_payload);
287 if (status != SUCCESS)
288 {
289 return status;
290 }
291 status = this->process_auth_payload(this, auth_payload,idr_payload);
292 if (status != SUCCESS)
293 {
294 return status;
295 }
296 status = this->process_sa_payload(this, sa_payload);
297 if (status != SUCCESS)
298 {
299 return status;
300 }
301 status = this->process_ts_payload(this, TRUE, tsi_payload);
302 if (status != SUCCESS)
303 {
304 return status;
305 }
306 status = this->process_ts_payload(this, FALSE, tsr_payload);
307 if (status != SUCCESS)
308 {
309 return status;
310 }
311
312 /* install child SAs for AH and esp */
313 if (!this->child_sa)
314 {
315 this->logger->log(this->logger, CONTROL, "No CHILD_SA requested, no CHILD_SA built");
316 }
317 if (!this->proposal)
318 {
319 this->logger->log(this->logger, CONTROL, "Proposal negotiation failed, no CHILD_SA built");
320 this->child_sa->destroy(this->child_sa);
321 this->child_sa = NULL;
322 }
323 else if (this->my_ts->get_count(this->my_ts) == 0 || this->other_ts->get_count(this->other_ts) == 0)
324 {
325 this->logger->log(this->logger, CONTROL, "Traffic selector negotiation failed, no CHILD_SA built");
326 this->child_sa->destroy(this->child_sa);
327 this->child_sa = NULL;
328 }
329 else
330 {
331 seed = allocator_alloc_as_chunk(this->sent_nonce.len + this->received_nonce.len);
332 memcpy(seed.ptr, this->sent_nonce.ptr, this->sent_nonce.len);
333 memcpy(seed.ptr + this->sent_nonce.len, this->received_nonce.ptr, this->received_nonce.len);
334 prf_plus = prf_plus_create(this->ike_sa->get_child_prf(this->ike_sa), seed);
335 allocator_free_chunk(&seed);
336
337 status = this->child_sa->update(this->child_sa, this->proposal, prf_plus);
338 prf_plus->destroy(prf_plus);
339 if (status != SUCCESS)
340 {
341 this->logger->log(this->logger, AUDIT, "Could not install CHILD_SA! Deleting IKE_SA");
342 return DELETE_ME;
343 }
344 status = this->child_sa->add_policies(this->child_sa, this->my_ts, this->other_ts);
345 if (status != SUCCESS)
346 {
347 this->logger->log(this->logger, AUDIT, "Could not install CHILD_SA policy! Deleting IKE_SA");
348 return DELETE_ME;
349 }
350 this->ike_sa->add_child_sa(this->ike_sa, this->child_sa);
351 }
352
353 this->ike_sa->set_last_replied_message_id(this->ike_sa,ike_auth_reply->get_message_id(ike_auth_reply));
354 /* create new state */
355 my_host = this->ike_sa->get_my_host(this->ike_sa);
356 other_host = this->ike_sa->get_other_host(this->ike_sa);
357 this->logger->log(this->logger, AUDIT, "IKE_SA established between %s - %s, authenticated peer with %s",
358 my_host->get_address(my_host), other_host->get_address(other_host),
359 mapping_find(auth_method_m, auth_payload->get_auth_method(auth_payload)));
360
361 this->ike_sa->set_new_state(this->ike_sa, (state_t*)ike_sa_established_create(this->ike_sa));
362 this->destroy_after_state_change(this);
363 return SUCCESS;
364 }
365
366 /**
367 * Implements private_ike_auth_requested_t.process_idr_payload
368 */
369 static status_t process_idr_payload(private_ike_auth_requested_t *this, id_payload_t *idr_payload)
370 {
371 identification_t *other_id, *configured_other_id;
372
373 other_id = idr_payload->get_identification(idr_payload);
374
375 configured_other_id = this->sa_config->get_other_id(this->sa_config);
376 if (configured_other_id)
377 {
378 this->logger->log(this->logger, CONTROL|LEVEL1, "configured ID: %s, ID of responder: %s",
379 configured_other_id->get_string(configured_other_id),
380 other_id->get_string(other_id));
381
382 if (!other_id->equals(other_id, configured_other_id))
383 {
384 other_id->destroy(other_id);
385 this->logger->log(this->logger, AUDIT, "IKE_AUTH reply contained a not requested ID. Deleting IKE_SA");
386 return DELETE_ME;
387 }
388 }
389
390 other_id->destroy(other_id);
391 /* TODO do we have to store other_id somewhere ? */
392 return SUCCESS;
393 }
394
395 /**
396 * Implements private_ike_auth_requested_t.process_sa_payload
397 */
398 static status_t process_sa_payload(private_ike_auth_requested_t *this, sa_payload_t *sa_payload)
399 {
400 proposal_t *proposal, *proposal_tmp;
401 linked_list_t *proposal_list;
402
403 /* get his selected proposal */
404 proposal_list = sa_payload->get_proposals(sa_payload);
405 /* check count of proposals */
406 if (proposal_list->get_count(proposal_list) == 0)
407 {
408 /* no proposal? we accept this, but no child sa is built */
409 this->logger->log(this->logger, AUDIT, "IKE_AUTH reply's SA_PAYLOAD didn't contain any proposals. No CHILD_SA created",
410 proposal_list->get_count(proposal_list));
411 proposal_list->destroy(proposal_list);
412 return SUCCESS;
413 }
414 if (proposal_list->get_count(proposal_list) > 1)
415 {
416 this->logger->log(this->logger, AUDIT, "IKE_AUTH reply's SA_PAYLOAD contained %d proposal. Deleting IKE_SA",
417 proposal_list->get_count(proposal_list));
418 while (proposal_list->remove_last(proposal_list, (void**)&proposal) == SUCCESS)
419 {
420 proposal->destroy(proposal);
421 }
422 proposal_list->destroy(proposal_list);
423 return DELETE_ME;
424 }
425
426 /* we have to re-check here if other's selection is valid */
427 proposal = this->sa_config->select_proposal(this->sa_config, proposal_list);
428 /* list not needed anymore */
429 while (proposal_list->remove_last(proposal_list, (void**)&proposal_tmp) == SUCCESS)
430 {
431 proposal_tmp->destroy(proposal_tmp);
432 }
433 proposal_list->destroy(proposal_list);
434 /* got a match? */
435 if (proposal == NULL)
436 {
437 this->logger->log(this->logger, AUDIT, "IKE_AUTH reply contained a not offered proposal. Deleting IKE_SA");
438 return DELETE_ME;
439 }
440
441 /* apply proposal */
442 this->proposal = proposal;
443
444 return SUCCESS;
445 }
446
447 /**
448 * Implements private_ike_auth_requested_t.process_auth_payload
449 */
450 static status_t process_auth_payload(private_ike_auth_requested_t *this, auth_payload_t *auth_payload, id_payload_t *other_id_payload)
451 {
452 authenticator_t *authenticator;
453 status_t status;
454
455 authenticator = authenticator_create(this->ike_sa);
456 status = authenticator->verify_auth_data(authenticator,auth_payload,this->ike_sa_init_reply_data,this->sent_nonce,other_id_payload,FALSE);
457 authenticator->destroy(authenticator);
458 if (status != SUCCESS)
459 {
460 this->logger->log(this->logger, AUDIT, "Verification of IKE_AUTH reply failed. Deleting IKE_SA");
461 return DELETE_ME;
462 }
463
464 this->logger->log(this->logger, CONTROL|LEVEL1, "AUTH data verified successfully");
465 return SUCCESS;
466 }
467
468 /**
469 * Implements private_ike_auth_requested_t.process_ts_payload
470 */
471 static status_t process_ts_payload(private_ike_auth_requested_t *this, bool ts_initiator, ts_payload_t *ts_payload)
472 {
473 linked_list_t *ts_received, *ts_selected;
474 traffic_selector_t *ts;
475
476 /* get ts form payload */
477 ts_received = ts_payload->get_traffic_selectors(ts_payload);
478 /* select ts depending on payload type */
479 if (ts_initiator)
480 {
481 ts_selected = this->sa_config->select_my_traffic_selectors(this->sa_config, ts_received);
482 this->my_ts = ts_selected;
483 }
484 else
485 {
486 ts_selected = this->sa_config->select_other_traffic_selectors(this->sa_config, ts_received);
487 this->other_ts = ts_selected;
488 }
489 /* check if the responder selected valid proposals */
490 if (ts_selected->get_count(ts_selected) != ts_received->get_count(ts_received))
491 {
492 this->logger->log(this->logger, AUDIT, "IKE_AUTH reply contained not offered traffic selectors.");
493 }
494
495 /* cleanup */
496 while (ts_received->remove_last(ts_received, (void**)&ts) == SUCCESS)
497 {
498 ts->destroy(ts);
499 }
500 ts_received->destroy(ts_received);
501
502 return SUCCESS;
503 }
504
505 /**
506 * Implements private_ike_auth_requested_t.process_notify_payload
507 */
508 static status_t process_notify_payload(private_ike_auth_requested_t *this, notify_payload_t *notify_payload)
509 {
510 notify_message_type_t notify_message_type = notify_payload->get_notify_message_type(notify_payload);
511
512 this->logger->log(this->logger, CONTROL|LEVEL1, "Process notify type %s for protocol %s",
513 mapping_find(notify_message_type_m, notify_message_type),
514 mapping_find(protocol_id_m, notify_payload->get_protocol_id(notify_payload)));
515
516 if (notify_payload->get_protocol_id(notify_payload) != IKE)
517 {
518 this->logger->log(this->logger, AUDIT, "IKE_AUTH reply contained a notify for an invalid protocol. Deleting IKE_SA");
519 return DELETE_ME;
520 }
521
522 switch (notify_message_type)
523 {
524 case INVALID_SYNTAX:
525 {
526 this->logger->log(this->logger, AUDIT, "IKE_AUTH reply contained an INVALID_SYNTAX notify. Deleting IKE_SA");
527 return DELETE_ME;
528
529 }
530 case AUTHENTICATION_FAILED:
531 {
532 this->logger->log(this->logger, AUDIT, "IKE_AUTH reply contained an AUTHENTICATION_FAILED notify. Deleting IKE_SA");
533 return DELETE_ME;
534
535 }
536 case SINGLE_PAIR_REQUIRED:
537 {
538 this->logger->log(this->logger, AUDIT, "IKE_AUTH reply contained a SINGLE_PAIR_REQUIRED notify. Deleting IKE_SA");
539 return DELETE_ME;
540 }
541 default:
542 {
543 /*
544 * - In case of unknown error: IKE_SA gets destroyed.
545 * - In case of unknown status: logging
546 */
547
548 if (notify_message_type < 16383)
549 {
550 this->logger->log(this->logger, AUDIT, "IKE_AUTH reply contained an unknown notify error (%d). Deleting IKE_SA",
551 notify_message_type);
552 return DELETE_ME;
553
554 }
555 else
556 {
557 this->logger->log(this->logger, CONTROL, "IKE_AUTH reply contained an unknown notify (%d), ignored.",
558 notify_message_type);
559 return SUCCESS;
560 }
561 }
562 }
563 }
564
565 /**
566 * Implements state_t.get_state
567 */
568 static ike_sa_state_t get_state(private_ike_auth_requested_t *this)
569 {
570 return IKE_AUTH_REQUESTED;
571 }
572
573 /**
574 * Implements state_t.get_state
575 */
576 static void destroy(private_ike_auth_requested_t *this)
577 {
578 allocator_free_chunk(&(this->received_nonce));
579 allocator_free_chunk(&(this->sent_nonce));
580 allocator_free_chunk(&(this->ike_sa_init_reply_data));
581 if (this->child_sa)
582 {
583 this->child_sa->destroy(this->child_sa);
584 }
585 if (this->my_ts)
586 {
587 traffic_selector_t *ts;
588 while (this->my_ts->remove_last(this->my_ts, (void**)&ts) == SUCCESS)
589 {
590 ts->destroy(ts);
591 }
592 this->my_ts->destroy(this->my_ts);
593 }
594 if (this->other_ts)
595 {
596 traffic_selector_t *ts;
597 while (this->other_ts->remove_last(this->other_ts, (void**)&ts) == SUCCESS)
598 {
599 ts->destroy(ts);
600 }
601 this->other_ts->destroy(this->other_ts);
602 }
603 if (this->proposal)
604 {
605 this->proposal->destroy(this->proposal);
606 }
607 allocator_free(this);
608 }
609 /**
610 * Implements protected_ike_sa_t.destroy_after_state_change
611 */
612 static void destroy_after_state_change(private_ike_auth_requested_t *this)
613 {
614 allocator_free_chunk(&(this->received_nonce));
615 allocator_free_chunk(&(this->sent_nonce));
616 allocator_free_chunk(&(this->ike_sa_init_reply_data));
617 if (this->my_ts)
618 {
619 traffic_selector_t *ts;
620 while (this->my_ts->remove_last(this->my_ts, (void**)&ts) == SUCCESS)
621 {
622 ts->destroy(ts);
623 }
624 this->my_ts->destroy(this->my_ts);
625 }
626 if (this->other_ts)
627 {
628 traffic_selector_t *ts;
629 while (this->other_ts->remove_last(this->other_ts, (void**)&ts) == SUCCESS)
630 {
631 ts->destroy(ts);
632 }
633 this->other_ts->destroy(this->other_ts);
634 }
635 if (this->proposal)
636 {
637 this->proposal->destroy(this->proposal);
638 }
639 allocator_free(this);
640 }
641
642 /*
643 * Described in header.
644 */
645 ike_auth_requested_t *ike_auth_requested_create(protected_ike_sa_t *ike_sa,chunk_t sent_nonce,chunk_t received_nonce,chunk_t ike_sa_init_reply_data, child_sa_t *child_sa)
646 {
647 private_ike_auth_requested_t *this = allocator_alloc_thing(private_ike_auth_requested_t);
648
649 /* interface functions */
650 this->public.state_interface.process_message = (status_t (*) (state_t *,message_t *)) process_message;
651 this->public.state_interface.get_state = (ike_sa_state_t (*) (state_t *)) get_state;
652 this->public.state_interface.destroy = (void (*) (state_t *)) destroy;
653
654 /* private functions */
655 this->process_idr_payload = process_idr_payload;
656 this->process_sa_payload = process_sa_payload;
657 this->process_auth_payload = process_auth_payload;
658 this->process_ts_payload = process_ts_payload;
659 this->process_notify_payload = process_notify_payload;
660 this->destroy_after_state_change = destroy_after_state_change;
661
662 /* private data */
663 this->ike_sa = ike_sa;
664 this->received_nonce = received_nonce;
665 this->sent_nonce = sent_nonce;
666 this->ike_sa_init_reply_data = ike_sa_init_reply_data;
667 this->logger = this->ike_sa->get_logger(this->ike_sa);
668 this->my_ts = NULL;
669 this->other_ts = NULL;
670 this->proposal = NULL;
671 this->child_sa = child_sa;
672
673 return &(this->public);
674 }