../svn-commit.tmp
[strongswan.git] / Source / charon / sa / states / ike_sa_init_responded.c
1 /**
2 * @file ike_sa_init_responded.c
3 *
4 * @brief State of a IKE_SA after responding to an IKE_SA_INIT request
5 *
6 */
7
8 /*
9 * Copyright (C) 2005 Jan Hutter, Martin Willi
10 * Hochschule fuer Technik Rapperswil
11 *
12 * This program is free software; you can redistribute it and/or modify it
13 * under the terms of the GNU General Public License as published by the
14 * Free Software Foundation; either version 2 of the License, or (at your
15 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
16 *
17 * This program is distributed in the hope that it will be useful, but
18 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
19 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
20 * for more details.
21 */
22
23 #include "ike_sa_init_responded.h"
24
25 #include <daemon.h>
26 #include <utils/allocator.h>
27 #include <sa/authenticator.h>
28 #include <encoding/payloads/ts_payload.h>
29 #include <encoding/payloads/sa_payload.h>
30 #include <encoding/payloads/id_payload.h>
31 #include <encoding/payloads/auth_payload.h>
32 #include <encoding/payloads/notify_payload.h>
33 #include <transforms/signers/signer.h>
34 #include <transforms/crypters/crypter.h>
35 #include <sa/states/ike_sa_established.h>
36
37
38 typedef struct private_ike_sa_init_responded_t private_ike_sa_init_responded_t;
39
40 /**
41 * Private data of a ike_sa_init_responded_t object.
42 *
43 */
44 struct private_ike_sa_init_responded_t {
45 /**
46 * Public interface of ike_sa_init_responded_t.
47 */
48 ike_sa_init_responded_t public;
49
50 /**
51 * Assigned IKE_SA.
52 */
53 protected_ike_sa_t *ike_sa;
54
55 /**
56 * Received nonce.
57 */
58 chunk_t received_nonce;
59
60 /**
61 * Sent nonce.
62 */
63 chunk_t sent_nonce;
64
65 /**
66 * Binary representation of the IKE_SA_INIT response.
67 */
68 chunk_t ike_sa_init_response_data;
69
70 /**
71 * Binary representation of the IKE_SA_INIT request.
72 */
73 chunk_t ike_sa_init_request_data;
74
75 /**
76 * SA config to use.
77 */
78 sa_config_t *sa_config;
79
80 /**
81 * Assigned logger.
82 *
83 * Is logger of ike_sa!
84 */
85 logger_t *logger;
86
87 /**
88 * Process received IDi and IDr payload and build IDr payload for IKE_AUTH response.
89 *
90 * @param this calling object
91 * @param request_idi ID payload representing initiator
92 * @param request_idr ID payload representing responder (May be zero)
93 * @param response The created IDr payload is added to this message_t object
94 * @param response_idr The created IDr payload is also written to this location
95 */
96 status_t (*build_idr_payload) (private_ike_sa_init_responded_t *this,
97 id_payload_t *request_idi,
98 id_payload_t *request_idr,
99 message_t *response,
100 id_payload_t **response_idr);
101
102 /**
103 * Process received SA payload and build SA payload for IKE_AUTH response.
104 *
105 * @param this calling object
106 * @param request SA payload received in IKE_AUTH request
107 * @param response The created SA payload is added to this message_t object
108 */
109 status_t (*build_sa_payload) (private_ike_sa_init_responded_t *this, sa_payload_t *request, message_t *response);
110
111 /**
112 * Process received AUTH payload and build AUTH payload for IKE_AUTH response.
113 *
114 * @param this calling object
115 * @param request AUTH payload received in IKE_AUTH request
116 * @param other_id_payload other ID payload needed to verify AUTH data
117 * @param my_id_payload my ID payload needed to compute AUTH data
118 * @param response The created AUTH payload is added to this message_t object
119 */
120 status_t (*build_auth_payload) (private_ike_sa_init_responded_t *this, auth_payload_t *request,id_payload_t *other_id_payload,id_payload_t *my_id_payload, message_t* response);
121
122 /**
123 * Process received TS payload and build TS payload for IKE_AUTH response.
124 *
125 * @param this calling object
126 * @param is_initiator type of TS payload. TRUE for TSi, FALSE for TSr
127 * @param request TS payload received in IKE_AUTH request
128 * @param response the created TS payload is added to this message_t object
129 */
130 status_t (*build_ts_payload) (private_ike_sa_init_responded_t *this, bool ts_initiator, ts_payload_t *request, message_t *response);
131
132 /**
133 * Sends a IKE_AUTH reply containing a notify payload.
134 *
135 * @param this calling object
136 * @param type type of notify message
137 * @param data data of notify message
138 */
139 void (*send_notify_reply) (private_ike_sa_init_responded_t *this,notify_message_type_t type, chunk_t data);
140 };
141
142 /**
143 * Implements state_t.get_state
144 */
145 static status_t process_message(private_ike_sa_init_responded_t *this, message_t *request)
146 {
147 id_payload_t *idi_request, *idr_request = NULL,*idr_response;
148 ts_payload_t *tsi_request, *tsr_request;
149 auth_payload_t *auth_request;
150 sa_payload_t *sa_request;
151 iterator_t *payloads;
152 message_t *response;
153 crypter_t *crypter;
154 signer_t *signer;
155 status_t status;
156
157
158 if (request->get_exchange_type(request) != IKE_AUTH)
159 {
160 this->logger->log(this->logger, ERROR | LEVEL1, "Message of type %s not supported in state ike_sa_init_responded",
161 mapping_find(exchange_type_m,request->get_exchange_type(request)));
162 return FAILED;
163 }
164
165 if (!request->get_request(request))
166 {
167 this->logger->log(this->logger, ERROR | LEVEL1, "Only requests of type IKE_AUTH supported in state ike_sa_init_responded");
168 return FAILED;
169 }
170
171 /* get signer for verification and crypter for decryption */
172 signer = this->ike_sa->get_signer_initiator(this->ike_sa);
173 crypter = this->ike_sa->get_crypter_initiator(this->ike_sa);
174
175 status = request->parse_body(request, crypter, signer);
176 if (status != SUCCESS)
177 {
178 if (status == NOT_SUPPORTED)
179 {
180 this->logger->log(this->logger, ERROR | LEVEL1, "Message contains unsupported payload with critical flag set");
181 /**
182 * TODO send unsupported type.
183 */
184 this->send_notify_reply(this,UNSUPPORTED_CRITICAL_PAYLOAD,CHUNK_INITIALIZER);
185 return DELETE_ME;
186 }
187 else
188 {
189 this->logger->log(this->logger, ERROR | LEVEL1, "Could not parse body of request message");
190 }
191 return status;
192 }
193
194 /* iterate over incoming payloads. Message is verified, we can be sure there are the required payloads */
195 payloads = request->get_payload_iterator(request);
196 while (payloads->has_next(payloads))
197 {
198 payload_t *payload;
199 payloads->current(payloads, (void**)&payload);
200
201 switch (payload->get_type(payload))
202 {
203 case ID_INITIATOR:
204 {
205 idi_request = (id_payload_t*)payload;
206 break;
207 }
208 case AUTHENTICATION:
209 {
210 auth_request = (auth_payload_t*)payload;
211 break;
212 }
213 case ID_RESPONDER:
214 {
215 idr_request = (id_payload_t*)payload;
216 break;
217 }
218 case SECURITY_ASSOCIATION:
219 {
220 sa_request = (sa_payload_t*)payload;
221 break;
222 }
223 case CERTIFICATE:
224 {
225 /* TODO handle cert payloads */
226 this->logger->log(this->logger, ERROR | LEVEL1, "Payload type CERTIFICATE currently not supported and so not handled");
227 break;
228 }
229 case CERTIFICATE_REQUEST:
230 {
231 /* TODO handle certrequest payloads */
232 this->logger->log(this->logger, ERROR | LEVEL1, "Payload type CERTIFICATE_REQUEST currently not supported and so not handled");
233 break;
234 }
235 case TRAFFIC_SELECTOR_INITIATOR:
236 {
237 tsi_request = (ts_payload_t*)payload;
238 break;
239 }
240 case TRAFFIC_SELECTOR_RESPONDER:
241 {
242 tsr_request = (ts_payload_t*)payload;
243 break;
244 }
245 case NOTIFY:
246 {
247 notify_payload_t *notify_payload = (notify_payload_t *) payload;
248
249 this->logger->log(this->logger, CONTROL|LEVEL1, "Process notify type %s for protocol %s",
250 mapping_find(notify_message_type_m, notify_payload->get_notify_message_type(notify_payload)),
251 mapping_find(protocol_id_m, notify_payload->get_protocol_id(notify_payload)));
252
253 if (notify_payload->get_protocol_id(notify_payload) != IKE)
254 {
255 this->logger->log(this->logger, ERROR | LEVEL1, "Notify not for IKE protocol.");
256 payloads->destroy(payloads);
257 return DELETE_ME;
258 }
259 switch (notify_payload->get_notify_message_type(notify_payload))
260 {
261 case SET_WINDOW_SIZE:
262 /*
263 * TODO Increase window size.
264 */
265 case INITIAL_CONTACT:
266 /*
267 * TODO Delete existing IKE_SA's with other Identity.
268 */
269 default:
270 {
271 this->logger->log(this->logger, CONTROL|LEVEL1, "Handling of notify type %s not implemented",
272 notify_payload->get_notify_message_type(notify_payload));
273 }
274 }
275
276 break;
277 }
278 default:
279 {
280 this->logger->log(this->logger, ERROR, "Payload ID %d not handled in state IKE_AUTH_RESPONDED!", payload->get_type(payload));
281 break;
282 }
283 }
284 }
285 /* iterator can be destroyed */
286 payloads->destroy(payloads);
287
288 /* build response */
289 this->ike_sa->build_message(this->ike_sa, IKE_AUTH, FALSE, &response);
290
291 /* add payloads to it */
292
293 status = this->build_idr_payload(this, idi_request, idr_request, response,&idr_response);
294 if (status != SUCCESS)
295 {
296 this->logger->log(this->logger, ERROR, "Building IDr payload failed");
297 response->destroy(response);
298 return status;
299 }
300 status = this->build_sa_payload(this, sa_request, response);
301 if (status != SUCCESS)
302 {
303 this->logger->log(this->logger, ERROR, "Building SA payload failed");
304 response->destroy(response);
305 return status;
306 }
307 status = this->build_auth_payload(this, auth_request,idi_request, idr_response,response);
308 if (status != SUCCESS)
309 {
310 this->logger->log(this->logger, ERROR, "Building AUTH payload failed");
311 response->destroy(response);
312 return status;
313 }
314 status = this->build_ts_payload(this, TRUE, tsi_request, response);
315 if (status != SUCCESS)
316 {
317 this->logger->log(this->logger, ERROR, "Building TSi payload failed");
318 response->destroy(response);
319 return status;
320 }
321 status = this->build_ts_payload(this, FALSE, tsr_request, response);
322 if (status != SUCCESS)
323 {
324 this->logger->log(this->logger, ERROR, "Building TSr payload failed");
325 response->destroy(response);
326 return status;
327 }
328
329 this->logger->log(this->logger, CONTROL | LEVEL1, "IKE_AUTH request successfully handled. Sending reply.");
330 status = this->ike_sa->send_response(this->ike_sa, response);
331
332 /* message can now be sent (must not be destroyed) */
333 if (status != SUCCESS)
334 {
335 this->logger->log(this->logger, ERROR, "Could not send response message");
336 response->destroy(response);
337 return DELETE_ME;
338 }
339
340 /* create new state */
341 this->ike_sa->set_new_state(this->ike_sa, (state_t*)ike_sa_established_create(this->ike_sa));
342 this->ike_sa->create_delete_established_ike_sa_job(this->ike_sa,this->sa_config->get_ike_sa_lifetime(this->sa_config));
343
344 this->public.state_interface.destroy(&(this->public.state_interface));
345
346 return SUCCESS;
347 }
348
349 /**
350 * Implementation of private_ike_sa_init_responded_t.build_idr_payload.
351 */
352 static status_t build_idr_payload(private_ike_sa_init_responded_t *this, id_payload_t *request_idi, id_payload_t *request_idr, message_t *response,id_payload_t **response_idr)
353 {
354 identification_t *other_id, *my_id = NULL;
355 init_config_t *init_config;
356 status_t status;
357 id_payload_t *idr_response;
358
359 other_id = request_idi->get_identification(request_idi);
360 if (request_idr)
361 {
362 my_id = request_idr->get_identification(request_idr);
363 }
364
365 /* build new sa config */
366 init_config = this->ike_sa->get_init_config(this->ike_sa);
367 status = charon->configuration_manager->get_sa_config_for_init_config_and_id(charon->configuration_manager,init_config, other_id,my_id, &(this->sa_config));
368 other_id->destroy(other_id);
369 if (my_id)
370 {
371 my_id->destroy(my_id);
372 }
373 if (status != SUCCESS)
374 {
375 this->logger->log(this->logger, ERROR, "Could not find config for %s", other_id->get_string(other_id));
376 if (my_id)
377 {
378 my_id->destroy(my_id);
379 }
380 return DELETE_ME;
381 }
382
383 /* get my id, if not requested */
384 my_id = this->sa_config->get_my_id(this->sa_config);
385
386 /* set sa_config in ike_sa for other states */
387 this->ike_sa->set_sa_config(this->ike_sa, this->sa_config);
388
389 /* build response */
390 idr_response = id_payload_create_from_identification(FALSE, my_id);
391 response->add_payload(response, (payload_t*)idr_response);
392 *response_idr = idr_response;
393
394 return SUCCESS;
395 }
396
397 /**
398 * Implementation of private_ike_sa_init_responded_t.build_sa_payload.
399 */
400 static status_t build_sa_payload(private_ike_sa_init_responded_t *this, sa_payload_t *request, message_t *response)
401 {
402 child_proposal_t *proposals, *proposal_chosen;
403 size_t proposal_count;
404 status_t status;
405 sa_payload_t *sa_response;
406
407 /* dummy spis, until we have a child sa to request them */
408 u_int8_t ah_spi[4] = {0x01, 0x02, 0x03, 0x04};
409 u_int8_t esp_spi[4] = {0x05, 0x06, 0x07, 0x08};
410
411 status = request->get_child_proposals(request, &proposals, &proposal_count);
412 if (status == SUCCESS)
413 {
414 proposal_chosen = this->sa_config->select_proposal(this->sa_config, ah_spi, esp_spi, proposals, proposal_count);
415 if (proposal_chosen != NULL)
416 {
417 sa_response = sa_payload_create_from_child_proposals(proposal_chosen, 1);
418 response->add_payload(response, (payload_t*)sa_response);
419 }
420 else
421 {
422 this->logger->log(this->logger, ERROR, "no matching proposal found");
423 this->send_notify_reply(this,NO_PROPOSAL_CHOSEN,CHUNK_INITIALIZER);
424 status = DELETE_ME;
425 }
426 }
427 else
428 {
429 this->logger->log(this->logger, ERROR, "requestor's sa payload contained no proposals");
430 this->send_notify_reply(this,NO_PROPOSAL_CHOSEN,CHUNK_INITIALIZER);
431 status = DELETE_ME;
432 }
433
434
435 allocator_free(proposal_chosen);
436 allocator_free(proposals);
437
438 return status;
439 }
440
441 /**
442 * Implementation of private_ike_sa_init_responded_t.build_auth_payload.
443 */
444 static status_t build_auth_payload(private_ike_sa_init_responded_t *this, auth_payload_t *auth_request,id_payload_t *other_id_payload,id_payload_t *my_id_payload, message_t* response)
445 {
446 authenticator_t *authenticator;
447 auth_payload_t *auth_reply;
448 status_t status;
449
450 authenticator = authenticator_create(this->ike_sa);
451
452
453 status = authenticator->verify_auth_data(authenticator,auth_request, this->ike_sa_init_request_data,this->sent_nonce,other_id_payload,TRUE);
454
455 if (status != SUCCESS)
456 {
457 this->logger->log(this->logger, ERROR, "Verification of AUTH payload returned status %s",mapping_find(status_m,status));
458 authenticator->destroy(authenticator);
459 /*
460 * Send notify message of type AUTHENTICATION_FAILED
461 */
462 this->logger->log(this->logger, CONTROL | LEVEL1, "Send notify message of type AUTHENTICATION_FAILED");
463 this->send_notify_reply (this,AUTHENTICATION_FAILED,CHUNK_INITIALIZER);
464 return DELETE_ME;
465 }
466
467
468 status = authenticator->compute_auth_data(authenticator,&auth_reply, this->ike_sa_init_response_data,this->received_nonce,my_id_payload,FALSE);
469 authenticator->destroy(authenticator);
470 if (status != SUCCESS)
471 {
472 this->logger->log(this->logger, ERROR, "Could not compute AUTH payload.");
473 return DELETE_ME;
474
475 }
476
477 response->add_payload(response, (payload_t *)auth_reply);
478 return SUCCESS;
479 }
480
481 /**
482 * Implementation of private_ike_sa_init_responded_t.build_ts_payload.
483 */
484 static status_t build_ts_payload(private_ike_sa_init_responded_t *this, bool ts_initiator, ts_payload_t *request, message_t* response)
485 {
486 traffic_selector_t **ts_received, **ts_selected;
487 size_t ts_received_count, ts_selected_count;
488 status_t status = SUCCESS;
489 ts_payload_t *ts_response;
490
491 /* build a reply payload with selected traffic selectors */
492 ts_received_count = request->get_traffic_selectors(request, &ts_received);
493 /* select ts depending on payload type */
494 if (ts_initiator)
495 {
496 ts_selected_count = this->sa_config->select_traffic_selectors_initiator(this->sa_config, ts_received, ts_received_count, &ts_selected);
497 }
498 else
499 {
500 ts_selected_count = this->sa_config->select_traffic_selectors_responder(this->sa_config, ts_received, ts_received_count, &ts_selected);
501 }
502 if(ts_selected_count == 0)
503 {
504 status = DELETE_ME;
505 }
506 else
507 {
508 ts_response = ts_payload_create_from_traffic_selectors(ts_initiator, ts_selected, ts_selected_count);
509 response->add_payload(response, (payload_t*)ts_response);
510 }
511
512 /* cleanup */
513 while(ts_received_count--)
514 {
515 traffic_selector_t *ts = *ts_received + ts_received_count;
516 ts->destroy(ts);
517 }
518 allocator_free(ts_received);
519 while(ts_selected_count--)
520 {
521 traffic_selector_t *ts = *ts_selected + ts_selected_count;
522 ts->destroy(ts);
523 }
524 allocator_free(ts_selected);
525 return status;
526 }
527
528 /**
529 * Implementation of of private_responder_init_t.send_notify_reply.
530 */
531 static void send_notify_reply (private_ike_sa_init_responded_t *this,notify_message_type_t type, chunk_t data)
532 {
533 notify_payload_t *payload;
534 message_t *response;
535 packet_t *packet;
536 status_t status;
537
538 this->logger->log(this->logger, CONTROL|LEVEL2, "Going to build message with notify payload");
539 /* set up the reply */
540 this->ike_sa->build_message(this->ike_sa, IKE_AUTH, FALSE, &response);
541 payload = notify_payload_create_from_protocol_and_type(IKE,type);
542 if ((data.ptr != NULL) && (data.len > 0))
543 {
544 this->logger->log(this->logger, CONTROL|LEVEL2, "Add Data to notify payload");
545 payload->set_notification_data(payload,data);
546 }
547
548 this->logger->log(this->logger, CONTROL|LEVEL2, "Add Notify payload to message");
549 response->add_payload(response,(payload_t *) payload);
550
551 /* generate packet */
552 this->logger->log(this->logger, CONTROL|LEVEL2, "Gnerate packet from message");
553 status = response->generate(response, this->ike_sa->get_crypter_responder(this->ike_sa),
554 this->ike_sa->get_signer_responder(this->ike_sa), &packet);
555 if (status != SUCCESS)
556 {
557 this->logger->log(this->logger, ERROR, "Could not generate packet from message");
558 response->destroy(response);
559 return;
560 }
561
562 this->logger->log(this->logger, CONTROL|LEVEL2, "Add packet to global send queue");
563 charon->send_queue->add(charon->send_queue, packet);
564 this->logger->log(this->logger, CONTROL|LEVEL2, "Destroy message");
565 response->destroy(response);
566 }
567
568 /**
569 * Implementation of state_t.get_state.
570 */
571 static ike_sa_state_t get_state(private_ike_sa_init_responded_t *this)
572 {
573 return IKE_SA_INIT_RESPONDED;
574 }
575
576 /**
577 * Implementation of state_t.get_state.
578 */
579 static void destroy(private_ike_sa_init_responded_t *this)
580 {
581 this->logger->log(this->logger, CONTROL | LEVEL1, "Going to destroy ike_sa_init_responded_t state object");
582
583 this->logger->log(this->logger, CONTROL | LEVEL2, "Destroy received nonce");
584 allocator_free_chunk(&(this->received_nonce));
585 this->logger->log(this->logger, CONTROL | LEVEL2, "Destroy sent nonce");
586 allocator_free_chunk(&(this->sent_nonce));
587 this->logger->log(this->logger, CONTROL | LEVEL2, "Destroy IKE_SA_INIT response octets");
588 allocator_free_chunk(&(this->ike_sa_init_response_data));
589 this->logger->log(this->logger, CONTROL | LEVEL2, "Destroy IKE_SA_INIT request octets");
590 allocator_free_chunk(&(this->ike_sa_init_request_data));
591
592 allocator_free(this);
593 }
594
595 /*
596 * Described in header.
597 */
598 ike_sa_init_responded_t *ike_sa_init_responded_create(protected_ike_sa_t *ike_sa, chunk_t received_nonce, chunk_t sent_nonce,chunk_t ike_sa_init_request_data, chunk_t ike_sa_init_response_data)
599 {
600 private_ike_sa_init_responded_t *this = allocator_alloc_thing(private_ike_sa_init_responded_t);
601
602 /* interface functions */
603 this->public.state_interface.process_message = (status_t (*) (state_t *,message_t *)) process_message;
604 this->public.state_interface.get_state = (ike_sa_state_t (*) (state_t *)) get_state;
605 this->public.state_interface.destroy = (void (*) (state_t *)) destroy;
606
607 /* private functions */
608 this->build_idr_payload = build_idr_payload;
609 this->build_sa_payload = build_sa_payload;
610 this->build_auth_payload = build_auth_payload;
611 this->build_ts_payload = build_ts_payload;
612 this->send_notify_reply = send_notify_reply;
613
614 /* private data */
615 this->ike_sa = ike_sa;
616 this->received_nonce = received_nonce;
617 this->sent_nonce = sent_nonce;
618 this->ike_sa_init_response_data = ike_sa_init_response_data;
619 this->ike_sa_init_request_data = ike_sa_init_request_data;
620 this->logger = this->ike_sa->get_logger(this->ike_sa);
621
622 return &(this->public);
623 }