848d27db758d217b4d3a22cdaf75e7f1a2348c62
[strongswan.git] / Source / charon / sa / states / ike_sa_init_responded.c
1 /**
2 * @file ike_sa_init_responded.c
3 *
4 * @brief State of a IKE_SA after responding to an IKE_SA_INIT request
5 *
6 */
7
8 /*
9 * Copyright (C) 2005 Jan Hutter, Martin Willi
10 * Hochschule fuer Technik Rapperswil
11 *
12 * This program is free software; you can redistribute it and/or modify it
13 * under the terms of the GNU General Public License as published by the
14 * Free Software Foundation; either version 2 of the License, or (at your
15 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
16 *
17 * This program is distributed in the hope that it will be useful, but
18 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
19 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
20 * for more details.
21 */
22
23 #include "ike_sa_init_responded.h"
24
25 #include <daemon.h>
26 #include <utils/allocator.h>
27 #include <sa/authenticator.h>
28 #include <encoding/payloads/ts_payload.h>
29 #include <encoding/payloads/sa_payload.h>
30 #include <encoding/payloads/id_payload.h>
31 #include <encoding/payloads/auth_payload.h>
32 #include <encoding/payloads/notify_payload.h>
33 #include <transforms/signers/signer.h>
34 #include <transforms/crypters/crypter.h>
35 #include <sa/states/ike_sa_established.h>
36
37
38 typedef struct private_ike_sa_init_responded_t private_ike_sa_init_responded_t;
39
40 /**
41 * Private data of a ike_sa_init_responded_t object.
42 *
43 */
44 struct private_ike_sa_init_responded_t {
45 /**
46 * Public interface of ike_sa_init_responded_t.
47 */
48 ike_sa_init_responded_t public;
49
50 /**
51 * Assigned IKE_SA.
52 */
53 protected_ike_sa_t *ike_sa;
54
55 /**
56 * Received nonce.
57 */
58 chunk_t received_nonce;
59
60 /**
61 * Sent nonce.
62 */
63 chunk_t sent_nonce;
64
65 /**
66 * Binary representation of the IKE_SA_INIT response.
67 */
68 chunk_t ike_sa_init_response_data;
69
70 /**
71 * Binary representation of the IKE_SA_INIT request.
72 */
73 chunk_t ike_sa_init_request_data;
74
75 /**
76 * SA config to use.
77 */
78 sa_config_t *sa_config;
79
80 /**
81 * Assigned logger.
82 *
83 * Is logger of ike_sa!
84 */
85 logger_t *logger;
86
87 /**
88 * Process received IDi and IDr payload and build IDr payload for IKE_AUTH response.
89 *
90 * @param this calling object
91 * @param request_idi ID payload representing initiator
92 * @param request_idr ID payload representing responder (May be zero)
93 * @param response The created IDr payload is added to this message_t object
94 * @param response_idr The created IDr payload is also written to this location
95 */
96 status_t (*build_idr_payload) (private_ike_sa_init_responded_t *this,
97 id_payload_t *request_idi,
98 id_payload_t *request_idr,
99 message_t *response,
100 id_payload_t **response_idr);
101
102 /**
103 * Process received SA payload and build SA payload for IKE_AUTH response.
104 *
105 * @param this calling object
106 * @param request SA payload received in IKE_AUTH request
107 * @param response The created SA payload is added to this message_t object
108 */
109 status_t (*build_sa_payload) (private_ike_sa_init_responded_t *this, sa_payload_t *request, message_t *response);
110
111 /**
112 * Process received AUTH payload and build AUTH payload for IKE_AUTH response.
113 *
114 * @param this calling object
115 * @param request AUTH payload received in IKE_AUTH request
116 * @param other_id_payload other ID payload needed to verify AUTH data
117 * @param my_id_payload my ID payload needed to compute AUTH data
118 * @param response The created AUTH payload is added to this message_t object
119 */
120 status_t (*build_auth_payload) (private_ike_sa_init_responded_t *this, auth_payload_t *request,id_payload_t *other_id_payload,id_payload_t *my_id_payload, message_t* response);
121
122 /**
123 * Process received TS payload and build TS payload for IKE_AUTH response.
124 *
125 * @param this calling object
126 * @param is_initiator type of TS payload. TRUE for TSi, FALSE for TSr
127 * @param request TS payload received in IKE_AUTH request
128 * @param response the created TS payload is added to this message_t object
129 */
130 status_t (*build_ts_payload) (private_ike_sa_init_responded_t *this, bool ts_initiator, ts_payload_t *request, message_t *response);
131
132 /**
133 * Sends a IKE_AUTH reply containing a notify payload.
134 *
135 * @param this calling object
136 * @param notify_payload payload to process
137 * @return
138 * - DELETE_ME if IKE_SA should be deleted
139 * - SUCCSS if processed successfull
140 */
141 status_t (*process_notify_payload) (private_ike_sa_init_responded_t *this, notify_payload_t* notify_payload);
142 };
143
144 /**
145 * Implements state_t.get_state
146 */
147 static status_t process_message(private_ike_sa_init_responded_t *this, message_t *request)
148 {
149 id_payload_t *idi_request = NULL, *idr_request = NULL,*idr_response;
150 ts_payload_t *tsi_request = NULL, *tsr_request = NULL;
151 auth_payload_t *auth_request = NULL;
152 sa_payload_t *sa_request = NULL;
153 iterator_t *payloads;
154 message_t *response;
155 crypter_t *crypter;
156 signer_t *signer;
157 status_t status;
158 host_t *my_host, *other_host;
159
160
161 if (request->get_exchange_type(request) != IKE_AUTH)
162 {
163 this->logger->log(this->logger, ERROR | LEVEL1, "Message of type %s not supported in state ike_sa_init_responded",
164 mapping_find(exchange_type_m,request->get_exchange_type(request)));
165 return FAILED;
166 }
167
168 if (!request->get_request(request))
169 {
170 this->logger->log(this->logger, ERROR | LEVEL1, "IKE_AUTH responses not allowed state ike_sa_init_responded");
171 return FAILED;
172 }
173
174 /* get signer for verification and crypter for decryption */
175 signer = this->ike_sa->get_signer_initiator(this->ike_sa);
176 crypter = this->ike_sa->get_crypter_initiator(this->ike_sa);
177
178 status = request->parse_body(request, crypter, signer);
179 if (status != SUCCESS)
180 {
181 if (status == NOT_SUPPORTED)
182 {
183 this->logger->log(this->logger, ERROR | LEVEL1, "IKE_AUTH request contains unsupported payload with critical flag set."
184 "Deleting IKE_SA");
185 this->ike_sa->send_notify(this->ike_sa, IKE_AUTH, UNSUPPORTED_CRITICAL_PAYLOAD, CHUNK_INITIALIZER);
186 return DELETE_ME;
187 }
188 else
189 {
190 this->logger->log(this->logger, AUDIT, "IKE_AUTH request decryption faild. Ignoring message");
191 }
192 return status;
193 }
194
195 /* iterate over incoming payloads. Message is verified, we can be sure there are the required payloads */
196 payloads = request->get_payload_iterator(request);
197 while (payloads->has_next(payloads))
198 {
199 payload_t *payload;
200 payloads->current(payloads, (void**)&payload);
201
202 switch (payload->get_type(payload))
203 {
204 case ID_INITIATOR:
205 {
206 idi_request = (id_payload_t*)payload;
207 break;
208 }
209 case AUTHENTICATION:
210 {
211 auth_request = (auth_payload_t*)payload;
212 break;
213 }
214 case ID_RESPONDER:
215 {
216 idr_request = (id_payload_t*)payload;
217 break;
218 }
219 case SECURITY_ASSOCIATION:
220 {
221 sa_request = (sa_payload_t*)payload;
222 break;
223 }
224
225 case TRAFFIC_SELECTOR_INITIATOR:
226 {
227 tsi_request = (ts_payload_t*)payload;
228 break;
229 }
230 case TRAFFIC_SELECTOR_RESPONDER:
231 {
232 tsr_request = (ts_payload_t*)payload;
233 break;
234 }
235 case NOTIFY:
236 {
237 notify_payload_t *notify_payload = (notify_payload_t *) payload;
238 status = this->process_notify_payload(this, notify_payload);
239 if (status != SUCCESS)
240 {
241 payloads->destroy(payloads);
242 return status;
243 }
244 }
245 case CERTIFICATE:
246 {
247 /* TODO handle cert payloads */
248 }
249 case CERTIFICATE_REQUEST:
250 {
251 /* TODO handle certrequest payloads */
252 }
253 default:
254 {
255 this->logger->log(this->logger, ERROR|LEVEL1, "Ignoring payload %s (%d)",
256 mapping_find(payload_type_m, payload->get_type(payload)), payload->get_type(payload));
257 break;
258 }
259 }
260 }
261 /* iterator can be destroyed */
262 payloads->destroy(payloads);
263
264 /* check if we have all payloads */
265 if (!(idi_request && sa_request && auth_request && tsi_request && tsr_request))
266 {
267 this->logger->log(this->logger, AUDIT, "IKE_AUTH reply did not contain all required payloads. Deleting IKE_SA");
268 return DELETE_ME;
269 }
270
271 /* build response */
272 this->ike_sa->build_message(this->ike_sa, IKE_AUTH, FALSE, &response);
273
274 /* add payloads to it */
275 status = this->build_idr_payload(this, idi_request, idr_request, response,&idr_response);
276 if (status != SUCCESS)
277 {
278 response->destroy(response);
279 return status;
280 }
281 status = this->build_sa_payload(this, sa_request, response);
282 if (status != SUCCESS)
283 {
284 response->destroy(response);
285 return status;
286 }
287 status = this->build_auth_payload(this, auth_request,idi_request, idr_response,response);
288 if (status != SUCCESS)
289 {
290 response->destroy(response);
291 return status;
292 }
293 status = this->build_ts_payload(this, TRUE, tsi_request, response);
294 if (status != SUCCESS)
295 {
296 response->destroy(response);
297 return status;
298 }
299 status = this->build_ts_payload(this, FALSE, tsr_request, response);
300 if (status != SUCCESS)
301 {
302 response->destroy(response);
303 return status;
304 }
305
306 status = this->ike_sa->send_response(this->ike_sa, response);
307 /* message can now be sent (must not be destroyed) */
308 if (status != SUCCESS)
309 {
310 this->logger->log(this->logger, AUDIT, "Unable to send IKE_AUTH reply. Deleting IKE_SA");
311 response->destroy(response);
312 return DELETE_ME;
313 }
314
315 /* create new state */my_host = this->ike_sa->get_my_host(this->ike_sa);
316 other_host = this->ike_sa->get_other_host(this->ike_sa);
317 this->logger->log(this->logger, AUDIT, "IKE_SA established between %s - %s, authenticated peer with %s",
318 my_host->get_address(my_host), other_host->get_address(other_host),
319 mapping_find(auth_method_m, auth_request->get_auth_method(auth_request)));
320
321 this->ike_sa->create_delete_established_ike_sa_job(this->ike_sa,this->sa_config->get_ike_sa_lifetime(this->sa_config));
322 this->ike_sa->set_new_state(this->ike_sa, (state_t*)ike_sa_established_create(this->ike_sa));
323 this->public.state_interface.destroy(&(this->public.state_interface));
324
325 return SUCCESS;
326 }
327
328 /**
329 * Implementation of private_ike_sa_init_responded_t.build_idr_payload.
330 */
331 static status_t build_idr_payload(private_ike_sa_init_responded_t *this, id_payload_t *request_idi, id_payload_t *request_idr, message_t *response,id_payload_t **response_idr)
332 {
333 identification_t *other_id, *my_id = NULL;
334 init_config_t *init_config;
335 status_t status;
336 id_payload_t *idr_response;
337
338 other_id = request_idi->get_identification(request_idi);
339 if (request_idr)
340 {
341 my_id = request_idr->get_identification(request_idr);
342 }
343
344 /* build new sa config */
345 init_config = this->ike_sa->get_init_config(this->ike_sa);
346 status = charon->configuration_manager->get_sa_config_for_init_config_and_id(charon->configuration_manager,init_config, other_id,my_id, &(this->sa_config));
347 if (status != SUCCESS)
348 {
349 if (my_id)
350 {
351 this->logger->log(this->logger, AUDIT, "IKE_AUTH request uses IDs %s to %s, which we have no config for",
352 other_id->get_string(other_id),my_id->get_string(my_id));
353 my_id->destroy(my_id);
354 }
355 else
356 {
357 this->logger->log(this->logger, AUDIT, "IKE_AUTH request uses ID %s, which we have no config for",
358 other_id->get_string(other_id));
359 }
360 other_id->destroy(other_id);
361 return DELETE_ME;
362 }
363
364 if (my_id)
365 {
366 my_id->destroy(my_id);
367 }
368 other_id->destroy(other_id);
369
370 /* get my id, if not requested */
371 my_id = this->sa_config->get_my_id(this->sa_config);
372
373 /* set sa_config in ike_sa for other states */
374 this->ike_sa->set_sa_config(this->ike_sa, this->sa_config);
375
376 /* build response */
377 idr_response = id_payload_create_from_identification(FALSE, my_id);
378 response->add_payload(response, (payload_t*)idr_response);
379 *response_idr = idr_response;
380
381 return SUCCESS;
382 }
383
384 /**
385 * Implementation of private_ike_sa_init_responded_t.build_sa_payload.
386 */
387 static status_t build_sa_payload(private_ike_sa_init_responded_t *this, sa_payload_t *request, message_t *response)
388 {
389 child_proposal_t *proposal, *proposal_tmp;
390 linked_list_t *proposal_list;
391 sa_payload_t *sa_response;
392 protocol_id_t proto;
393
394 /* TODO: child sa stuff */
395
396 /* get proposals from request */
397 proposal_list = request->get_child_proposals(request);
398 if (proposal_list->get_count(proposal_list) == 0)
399 {
400 /* if the other side did not offer any proposals, we do not create child sa's */
401 this->logger->log(this->logger, AUDIT, "IKE_AUH request did not contain any proposals. No CHILD_SA created");
402 sa_response = sa_payload_create();
403 response->add_payload(response, (payload_t*)sa_response);
404 proposal_list->destroy(proposal_list);
405 return SUCCESS;
406 }
407
408 /* now select a proposal */
409 this->logger->log(this->logger, CONTROL|LEVEL1, "Selecting proposals:");
410 proposal = this->sa_config->select_proposal(this->sa_config, proposal_list);
411 /* list is not needed anymore */
412 while (proposal_list->remove_last(proposal_list, (void**)&proposal_tmp) == SUCCESS)
413 {
414 proposal_tmp->destroy(proposal_tmp);
415 }
416 proposal_list->destroy(proposal_list);
417 /* do we have a proposal */
418 if (proposal == NULL)
419 {
420 this->logger->log(this->logger, AUDIT, "IKE_AUTH request did not contain any proposals we accept. Deleting IKE_SA");
421 this->ike_sa->send_notify(this->ike_sa, IKE_AUTH, NO_PROPOSAL_CHOSEN, CHUNK_INITIALIZER);
422 return DELETE_ME;
423 }
424 for (proto = AH; proto <= ESP; proto++)
425 {
426 transform_type_t types[] = {ENCRYPTION_ALGORITHM, INTEGRITY_ALGORITHM, DIFFIE_HELLMAN_GROUP, EXTENDED_SEQUENCE_NUMBERS};
427 mapping_t *mappings[] = {encryption_algorithm_m, integrity_algorithm_m, diffie_hellman_group_m, extended_sequence_numbers_m};
428 algorithm_t *algo;
429 int i;
430 for (i = 0; i<sizeof(types)/sizeof(transform_type_t); i++)
431 {
432 if (proposal->get_algorithm(proposal, proto, types[i], &algo))
433 {
434 this->logger->log(this->logger, CONTROL|LEVEL1, "%s: using %s %s (keysize: %d)",
435 mapping_find(protocol_id_m, proto),
436 mapping_find(transform_type_m, types[i]),
437 mapping_find(mappings[i], algo->algorithm),
438 algo->key_size);
439 }
440 }
441 }
442
443 /* create payload with selected propsal */
444 sa_response = sa_payload_create_from_child_proposal(proposal);
445 response->add_payload(response, (payload_t*)sa_response);
446 proposal->destroy(proposal);
447
448 /* install child SAs for AH and esp */
449 // algorithm_t *encr, *integ;
450 // char enc_key_buffer[] = "123";
451 // chunk_t enc_key = {ptr: enc_key_buffer, len: 4};
452 // char int_key_buffer[] = "345";
453 // chunk_t int_key = {ptr: int_key_buffer, len: 4};
454 // proposal->get_algorithm(proposal, ESP, ENCRYPTION_ALGORITHM, &encr);
455 // proposal->get_algorithm(proposal, ESP, INTEGRITY_ALGORITHM, &integ);
456 //
457 // charon->kernel_interface->add_sa(charon->kernel_interface,
458 // this->ike_sa->get_my_host(this->ike_sa),
459 // this->ike_sa->get_other_host(this->ike_sa),
460 // proposal->get_spi(proposal, AH),
461 // AH,
462 // TRUE,
463 // encr->algorithm, encr->key_size, enc_key,
464 // integ->algorithm, integ->key_size, int_key,
465 // TRUE);
466 //
467 // POS;
468
469 return SUCCESS;
470 }
471
472 /**
473 * Implementation of private_ike_sa_init_responded_t.build_auth_payload.
474 */
475 static status_t build_auth_payload(private_ike_sa_init_responded_t *this, auth_payload_t *auth_request,id_payload_t *other_id_payload,id_payload_t *my_id_payload, message_t* response)
476 {
477 authenticator_t *authenticator;
478 auth_payload_t *auth_reply;
479 status_t status;
480
481 authenticator = authenticator_create(this->ike_sa);
482
483
484 status = authenticator->verify_auth_data(authenticator,auth_request, this->ike_sa_init_request_data,this->sent_nonce,other_id_payload,TRUE);
485
486 if (status != SUCCESS)
487 {
488 this->logger->log(this->logger, AUDIT, "IKE_AUTH request verification failed. Deleting IKE_SA");
489 this->ike_sa->send_notify(this->ike_sa, IKE_AUTH, AUTHENTICATION_FAILED, CHUNK_INITIALIZER);
490 authenticator->destroy(authenticator);
491 return DELETE_ME;
492 }
493
494
495 status = authenticator->compute_auth_data(authenticator,&auth_reply, this->ike_sa_init_response_data,this->received_nonce,my_id_payload,FALSE);
496 authenticator->destroy(authenticator);
497 if (status != SUCCESS)
498 {
499 this->logger->log(this->logger, AUDIT, "Unable to build authentication data for IKE_AUTH reply. Deleting IKE_SA");
500 return DELETE_ME;
501
502 }
503
504 response->add_payload(response, (payload_t *)auth_reply);
505 return SUCCESS;
506 }
507
508 /**
509 * Implementation of private_ike_sa_init_responded_t.build_ts_payload.
510 */
511 static status_t build_ts_payload(private_ike_sa_init_responded_t *this, bool ts_initiator, ts_payload_t *request, message_t* response)
512 {
513 traffic_selector_t **ts_received, **ts_selected;
514 size_t ts_received_count, ts_selected_count;
515 status_t status = SUCCESS;
516 ts_payload_t *ts_response;
517
518 /* build a reply payload with selected traffic selectors */
519 ts_received_count = request->get_traffic_selectors(request, &ts_received);
520 /* select ts depending on payload type */
521 if (ts_initiator)
522 {
523 ts_selected_count = this->sa_config->select_traffic_selectors_initiator(this->sa_config, ts_received, ts_received_count, &ts_selected);
524 }
525 else
526 {
527 ts_selected_count = this->sa_config->select_traffic_selectors_responder(this->sa_config, ts_received, ts_received_count, &ts_selected);
528 }
529 if(ts_selected_count == 0)
530 {
531 this->logger->log(this->logger, AUDIT, "IKE_AUH request did not contain any traffic selectors.");
532 ts_response = ts_payload_create(ts_initiator);
533 response->add_payload(response, (payload_t*)ts_response);
534 }
535 else
536 {
537 ts_response = ts_payload_create_from_traffic_selectors(ts_initiator, ts_selected, ts_selected_count);
538 response->add_payload(response, (payload_t*)ts_response);
539 }
540
541 /* cleanup */
542 while(ts_received_count--)
543 {
544 traffic_selector_t *ts = *ts_received + ts_received_count;
545 ts->destroy(ts);
546 }
547 allocator_free(ts_received);
548 while(ts_selected_count--)
549 {
550 traffic_selector_t *ts = *ts_selected + ts_selected_count;
551 ts->destroy(ts);
552 }
553 allocator_free(ts_selected);
554 return status;
555 }
556
557 static status_t process_notify_payload(private_ike_sa_init_responded_t *this, notify_payload_t *notify_payload)
558 {
559 notify_message_type_t notify_message_type = notify_payload->get_notify_message_type(notify_payload);
560
561 this->logger->log(this->logger, CONTROL|LEVEL1, "Process notify type %s for protocol %s",
562 mapping_find(notify_message_type_m, notify_message_type),
563 mapping_find(protocol_id_m, notify_payload->get_protocol_id(notify_payload)));
564
565 switch (notify_message_type)
566 {
567 case SET_WINDOW_SIZE:
568 /*
569 * TODO Increase window size.
570 */
571 case INITIAL_CONTACT:
572 /*
573 * TODO Delete existing IKE_SA's with other Identity.
574 */
575 default:
576 {
577 this->logger->log(this->logger, AUDIT, "IKE_AUTH request contained an unknown notify (%d), ignored.", notify_message_type);
578 }
579 }
580
581 return SUCCESS;
582 }
583
584 /**
585 * Implementation of state_t.get_state.
586 */
587 static ike_sa_state_t get_state(private_ike_sa_init_responded_t *this)
588 {
589 return IKE_SA_INIT_RESPONDED;
590 }
591
592 /**
593 * Implementation of state_t.get_state.
594 */
595 static void destroy(private_ike_sa_init_responded_t *this)
596 {
597 this->logger->log(this->logger, CONTROL | LEVEL3, "Going to destroy ike_sa_init_responded_t state object");
598
599 this->logger->log(this->logger, CONTROL | LEVEL3, "Destroy received nonce");
600 allocator_free_chunk(&(this->received_nonce));
601 this->logger->log(this->logger, CONTROL | LEVEL3, "Destroy sent nonce");
602 allocator_free_chunk(&(this->sent_nonce));
603 this->logger->log(this->logger, CONTROL | LEVEL3, "Destroy IKE_SA_INIT response octets");
604 allocator_free_chunk(&(this->ike_sa_init_response_data));
605 this->logger->log(this->logger, CONTROL | LEVEL3, "Destroy IKE_SA_INIT request octets");
606 allocator_free_chunk(&(this->ike_sa_init_request_data));
607
608 allocator_free(this);
609 }
610
611 /*
612 * Described in header.
613 */
614 ike_sa_init_responded_t *ike_sa_init_responded_create(protected_ike_sa_t *ike_sa, chunk_t received_nonce, chunk_t sent_nonce,chunk_t ike_sa_init_request_data, chunk_t ike_sa_init_response_data)
615 {
616 private_ike_sa_init_responded_t *this = allocator_alloc_thing(private_ike_sa_init_responded_t);
617
618 /* interface functions */
619 this->public.state_interface.process_message = (status_t (*) (state_t *,message_t *)) process_message;
620 this->public.state_interface.get_state = (ike_sa_state_t (*) (state_t *)) get_state;
621 this->public.state_interface.destroy = (void (*) (state_t *)) destroy;
622
623 /* private functions */
624 this->build_idr_payload = build_idr_payload;
625 this->build_sa_payload = build_sa_payload;
626 this->build_auth_payload = build_auth_payload;
627 this->build_ts_payload = build_ts_payload;
628 this->process_notify_payload = process_notify_payload;
629
630 /* private data */
631 this->ike_sa = ike_sa;
632 this->received_nonce = received_nonce;
633 this->sent_nonce = sent_nonce;
634 this->ike_sa_init_response_data = ike_sa_init_response_data;
635 this->ike_sa_init_request_data = ike_sa_init_request_data;
636 this->logger = this->ike_sa->get_logger(this->ike_sa);
637
638 return &(this->public);
639 }