2 * @file responder_init.c
4 * @brief Start state of a IKE_SA as responder
9 * Copyright (C) 2005 Jan Hutter, Martin Willi
10 * Hochschule fuer Technik Rapperswil
12 * This program is free software; you can redistribute it and/or modify it
13 * under the terms of the GNU General Public License as published by the
14 * Free Software Foundation; either version 2 of the License, or (at your
15 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
17 * This program is distributed in the hope that it will be useful, but
18 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
19 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
23 #include "responder_init.h"
26 #include <sa/states/state.h>
27 #include <sa/states/ike_sa_init_responded.h>
28 #include <utils/allocator.h>
29 #include <encoding/payloads/sa_payload.h>
30 #include <encoding/payloads/ke_payload.h>
31 #include <encoding/payloads/nonce_payload.h>
32 #include <transforms/diffie_hellman.h>
35 * Private data of a responder_init_t object.
38 typedef struct private_responder_init_s private_responder_init_t
;
39 struct private_responder_init_s
{
41 * Methods of the state_t interface.
43 responder_init_t
public;
48 protected_ike_sa_t
*ike_sa
;
51 * Diffie Hellman object used to compute shared secret.
53 * After processing of incoming IKE_SA_INIT-Request the shared key is
54 * passed to the next state of type ike_sa_init_responded_t.
56 diffie_hellman_t
*diffie_hellman
;
59 * Diffie Hellman group number.
61 u_int16_t dh_group_number
;
64 * Priority used to get matching dh_group number.
66 u_int16_t dh_group_priority
;
71 * This value is passed to the next state of type ike_sa_init_responded_t.
76 * Received nonce value
78 * This value is passed to the next state of type ike_sa_init_responded_t.
80 chunk_t received_nonce
;
83 * Logger used to log data
85 * Is logger of ike_sa!
90 * Proposals used to initiate connection
92 linked_list_t
*proposals
;
95 * Builds the SA payload for this state.
97 * @param this calling object
98 * @param payload The generated SA payload object of type ke_payload_t is
99 * stored at this location.
104 status_t (*build_sa_payload
) (private_responder_init_t
*this, payload_t
**payload
);
107 * Builds the KE payload for this state.
109 * @param this calling object
110 * @param payload The generated KE payload object of type ke_payload_t is
111 * stored at this location.
116 status_t (*build_ke_payload
) (private_responder_init_t
*this, payload_t
**payload
);
118 * Builds the NONCE payload for this state.
120 * @param this calling object
121 * @param payload The generated NONCE payload object of type ke_payload_t is
122 * stored at this location.
127 status_t (*build_nonce_payload
) (private_responder_init_t
*this, payload_t
**payload
);
130 * Destroy function called internally of this class after state change succeeded.
132 * This destroy function does not destroy objects which were passed to the new state.
134 * @param this calling object
135 * @return SUCCESS in any case
137 status_t (*destroy_after_state_change
) (private_responder_init_t
*this);
141 * Implements state_t.get_state
143 static status_t
process_message(private_responder_init_t
*this, message_t
*message
, state_t
**new_state
)
145 linked_list_iterator_t
*payloads
;
146 host_t
*source
, *destination
;
151 chunk_t shared_secret
;
152 exchange_type_t exchange_type
;
153 ike_sa_init_responded_t
*next_state
;
155 exchange_type
= message
->get_exchange_type(message
);
156 if (exchange_type
!= IKE_SA_INIT
)
158 this->logger
->log(this->logger
, ERROR
| MORE
, "Message of type %s not supported in state responder_init",mapping_find(exchange_type_m
,exchange_type
));
162 if (!message
->get_request(message
))
164 this->logger
->log(this->logger
, ERROR
| MORE
, "Only requests of type IKE_SA_INIT supported in state responder_init");
168 /* this is the first message we process, so copy host infos */
169 message
->get_source(message
, &source
);
170 message
->get_destination(message
, &destination
);
172 /* we need to clone them, since we destroy the message later */
173 destination
->clone(destination
, &(this->ike_sa
->me
.host
));
174 source
->clone(source
, &(this->ike_sa
->other
.host
));
176 /* parse incoming message */
177 status
= message
->parse_body(message
);
178 if (status
!= SUCCESS
)
180 this->logger
->log(this->logger
, ERROR
| MORE
, "Could not parse body of request message");
184 /* iterate over incoming payloads. We can be sure, the message contains only accepted payloads! */
185 status
= message
->get_payload_iterator(message
, &payloads
);
186 if (status
!= SUCCESS
)
188 this->logger
->log(this->logger
, ERROR
, "Fatal error: Could not get payload interator");
192 while (payloads
->has_next(payloads
))
196 /* get current payload */
197 payloads
->current(payloads
, (void**)&payload
);
199 this->logger
->log(this->logger
, CONTROL
|MORE
, "Processing payload of type %s", mapping_find(payload_type_m
, payload
->get_type(payload
)));
200 switch (payload
->get_type(payload
))
202 case SECURITY_ASSOCIATION
:
204 sa_payload_t
*sa_payload
= (sa_payload_t
*)payload
;
205 linked_list_iterator_t
*suggested_proposals
, *accepted_proposals
;
206 encryption_algorithm_t encryption_algorithm
= ENCR_UNDEFINED
;
207 pseudo_random_function_t pseudo_random_function
= PRF_UNDEFINED
;
208 integrity_algorithm_t integrity_algorithm
= AUTH_UNDEFINED
;
210 status
= this->proposals
->create_iterator(this->proposals
, &accepted_proposals
, FALSE
);
211 if (status
!= SUCCESS
)
213 this->logger
->log(this->logger
, ERROR
, "Fatal error: Could not create iterator on list for proposals");
214 payloads
->destroy(payloads
);
218 /* get the list of suggested proposals */
219 status
= sa_payload
->create_proposal_substructure_iterator(sa_payload
, &suggested_proposals
, TRUE
);
220 if (status
!= SUCCESS
)
222 this->logger
->log(this->logger
, ERROR
, "Fatal error: Could not create iterator on suggested proposals");
223 accepted_proposals
->destroy(accepted_proposals
);
224 payloads
->destroy(payloads
);
228 /* now let the configuration-manager select a subset of the proposals */
229 status
= global_configuration_manager
->select_proposals_for_host(global_configuration_manager
,
230 this->ike_sa
->other
.host
, suggested_proposals
, accepted_proposals
);
231 if (status
!= SUCCESS
)
233 this->logger
->log(this->logger
, CONTROL
| MORE
, "No proposal of suggested proposals selected");
234 suggested_proposals
->destroy(suggested_proposals
);
235 accepted_proposals
->destroy(accepted_proposals
);
236 payloads
->destroy(payloads
);
240 /* iterators are not needed anymore */
241 suggested_proposals
->destroy(suggested_proposals
);
244 /* now let the configuration-manager return the transforms for the given proposal*/
245 this->logger
->log(this->logger
, CONTROL
| MOST
, "Get transforms for accepted proposal");
246 status
= global_configuration_manager
->get_transforms_for_host_and_proposals(global_configuration_manager
,
247 this->ike_sa
->other
.host
, accepted_proposals
, &encryption_algorithm
,&pseudo_random_function
,&integrity_algorithm
);
248 if (status
!= SUCCESS
)
250 this->logger
->log(this->logger
, ERROR
| MORE
, "Accepted proposals not supported?!");
251 accepted_proposals
->destroy(accepted_proposals
);
252 payloads
->destroy(payloads
);
255 accepted_proposals
->destroy(accepted_proposals
);
257 this->ike_sa
->prf
= prf_create(pseudo_random_function
);
258 if (this->ike_sa
->prf
== NULL
)
260 this->logger
->log(this->logger
, ERROR
| MORE
, "PRF type not supported");
261 payloads
->destroy(payloads
);
265 this->logger
->log(this->logger
, CONTROL
| MORE
, "SA Payload processed");
266 /* ok, we have what we need for sa_payload (proposals are stored in this->proposals)*/
271 ke_payload_t
*ke_payload
= (ke_payload_t
*)payload
;
272 diffie_hellman_group_t group
;
273 diffie_hellman_t
*dh
;
276 group
= ke_payload
->get_dh_group_number(ke_payload
);
278 status
= global_configuration_manager
->is_dh_group_allowed_for_host(global_configuration_manager
,
279 this->ike_sa
->other
.host
, group
, &allowed_group
);
281 if (status
!= SUCCESS
)
283 this->logger
->log(this->logger
, ERROR
| MORE
, "Could not get informations about DH group");
284 payloads
->destroy(payloads
);
289 /** @todo Send info reply */
292 /* create diffie hellman object to handle DH exchange */
293 dh
= diffie_hellman_create(group
);
296 this->logger
->log(this->logger
, ERROR
, "Could not generate DH object");
297 payloads
->destroy(payloads
);
301 this->logger
->log(this->logger
, CONTROL
| MORE
, "Set other DH public value");
303 status
= dh
->set_other_public_value(dh
, ke_payload
->get_key_exchange_data(ke_payload
));
304 if (status
!= SUCCESS
)
306 this->logger
->log(this->logger
, ERROR
, "Could not set other DH public value");
308 payloads
->destroy(payloads
);
312 this->diffie_hellman
= dh
;
314 this->logger
->log(this->logger
, CONTROL
| MORE
, "KE Payload processed");
319 nonce_payload_t
*nonce_payload
= (nonce_payload_t
*)payload
;
321 if (this->received_nonce
.ptr
!= NULL
)
323 this->logger
->log(this->logger
, CONTROL
| MOST
, "Destroy stored received nonce");
324 allocator_free(this->received_nonce
.ptr
);
325 this->received_nonce
.ptr
= NULL
;
326 this->received_nonce
.len
= 0;
329 this->logger
->log(this->logger
, CONTROL
| MORE
, "Get nonce value and store it");
330 status
= nonce_payload
->get_nonce(nonce_payload
, &(this->received_nonce
));
331 if (status
!= SUCCESS
)
333 this->logger
->log(this->logger
, ERROR
, "Fatal error: Could not get nonce");
334 payloads
->destroy(payloads
);
338 this->logger
->log(this->logger
, CONTROL
| MORE
, "Nonce Payload processed");
343 this->logger
->log(this->logger
, ERROR
| MORE
, "Payload type not supported!");
344 payloads
->destroy(payloads
);
351 /* iterator can be destroyed */
352 payloads
->destroy(payloads
);
354 this->logger
->log(this->logger
, CONTROL
| MORE
, "Request successfully handled. Going to create reply.");
356 this->logger
->log(this->logger
, CONTROL
| MOST
, "Going to create nonce.");
357 if (this->ike_sa
->randomizer
->allocate_pseudo_random_bytes(this->ike_sa
->randomizer
, NONCE_SIZE
, &(this->sent_nonce
)) != SUCCESS
)
359 this->logger
->log(this->logger
, ERROR
, "Could not create nonce!");
363 /* store shared secret */
364 this->logger
->log(this->logger
, CONTROL
| MOST
, "Retrieve shared secret and store it");
365 status
= this->diffie_hellman
->get_shared_secret(this->diffie_hellman
, &shared_secret
);
366 this->logger
->log_chunk(this->logger
, PRIVATE
, "Shared secret", &shared_secret
);
368 status
= this->ike_sa
->compute_secrets(this->ike_sa
,shared_secret
,this->received_nonce
, this->sent_nonce
);
369 if (status
!= SUCCESS
)
371 /* secrets could not be computed */
372 this->logger
->log(this->logger
, ERROR
| MORE
, "Secrets could not be computed!");
378 /* set up the reply */
379 status
= this->ike_sa
->build_message(this->ike_sa
, IKE_SA_INIT
, FALSE
, &response
);
380 if (status
!= SUCCESS
)
382 this->logger
->log(this->logger
, ERROR
, "Could not create empty message");
386 /* build SA payload */
387 status
= this->build_sa_payload(this, &payload
);
388 if (status
!= SUCCESS
)
390 this->logger
->log(this->logger
, ERROR
, "Could not build SA payload");
394 this ->logger
->log(this->logger
, CONTROL
|MOST
, "add SA payload to message");
395 status
= response
->add_payload(response
, payload
);
396 if (status
!= SUCCESS
)
398 this->logger
->log(this->logger
, ERROR
, "Could not add SA payload to message");
402 /* build KE payload */
403 status
= this->build_ke_payload(this,&payload
);
404 if (status
!= SUCCESS
)
406 this->logger
->log(this->logger
, ERROR
, "Could not build KE payload");
410 this ->logger
->log(this->logger
, CONTROL
|MOST
, "add KE payload to message");
411 status
= response
->add_payload(response
, payload
);
412 if (status
!= SUCCESS
)
414 this->logger
->log(this->logger
, ERROR
, "Could not add KE payload to message");
418 /* build Nonce payload */
419 status
= this->build_nonce_payload(this, &payload
);
420 if (status
!= SUCCESS
)
422 this->logger
->log(this->logger
, ERROR
, "Could not build NONCE payload");
426 this ->logger
->log(this->logger
, CONTROL
|MOST
, "add nonce payload to message");
427 status
= response
->add_payload(response
, payload
);
428 if (status
!= SUCCESS
)
430 this->logger
->log(this->logger
, ERROR
, "Could not add nonce payload to message");
434 /* generate packet */
435 this ->logger
->log(this->logger
, CONTROL
|MOST
, "generate packet from message");
436 status
= response
->generate(response
, &packet
);
437 if (status
!= SUCCESS
)
439 this->logger
->log(this->logger
, ERROR
, "Fatal error: could not generate packet from message");
443 this ->logger
->log(this->logger
, CONTROL
|MOST
, "Add packet to global send queue");
444 status
= global_send_queue
->add(global_send_queue
, packet
);
445 if (status
!= SUCCESS
)
447 this->logger
->log(this->logger
, ERROR
, "Could not add packet to send queue");
451 /* state can now be changed */
452 this ->logger
->log(this->logger
, CONTROL
|MOST
, "Create next state object");
454 next_state
= ike_sa_init_responded_create(this->ike_sa
, shared_secret
, this->received_nonce
, this->sent_nonce
);
456 if (next_state
== NULL
)
458 this ->logger
->log(this->logger
, ERROR
, "Fatal error: could not create next state object of type ike_sa_init_responded_t");
459 allocator_free_chunk(shared_secret
);
463 if ( this->ike_sa
->last_responded_message
!= NULL
)
465 /* destroy message */
466 this ->logger
->log(this->logger
, CONTROL
|MOST
, "Destroy stored last responded message");
467 this->ike_sa
->last_responded_message
->destroy(this->ike_sa
->last_responded_message
);
469 this->ike_sa
->last_responded_message
= response
;
471 /* message counter can now be increased */
472 this ->logger
->log(this->logger
, CONTROL
|MOST
, "Increate message counter for incoming messages");
473 this->ike_sa
->message_id_in
++;
475 *new_state
= (state_t
*) next_state
;
476 /* state has NOW changed :-) */
477 this ->logger
->log(this->logger
, CONTROL
|MORE
, "Changed state of IKE_SA from %s to %s",mapping_find(ike_sa_state_m
,RESPONDER_INIT
),mapping_find(ike_sa_state_m
,IKE_SA_INIT_RESPONDED
) );
479 this ->logger
->log(this->logger
, CONTROL
|MOST
, "Destroy old sate object");
480 this->destroy_after_state_change(this);
486 * implements private_initiator_init_t.build_sa_payload
488 static status_t
build_sa_payload(private_responder_init_t
*this, payload_t
**payload
)
490 sa_payload_t
* sa_payload
;
491 linked_list_iterator_t
*proposal_iterator
;
495 /* SA payload takes proposals from this->ike_sa_init_data.proposals and writes them to the created sa_payload */
497 this->logger
->log(this->logger
, CONTROL
|MORE
, "building sa payload");
499 status
= this->proposals
->create_iterator(this->proposals
, &proposal_iterator
, FALSE
);
500 if (status
!= SUCCESS
)
502 this->logger
->log(this->logger
, ERROR
, "Fatal error: Could not create iterator on list for proposals");
506 sa_payload
= sa_payload_create();
507 if (sa_payload
== NULL
)
509 this->logger
->log(this->logger
, ERROR
, "Fatal error: Could not create SA payload object");
513 while (proposal_iterator
->has_next(proposal_iterator
))
515 proposal_substructure_t
*current_proposal
;
516 proposal_substructure_t
*current_proposal_clone
;
517 status
= proposal_iterator
->current(proposal_iterator
,(void **) ¤t_proposal
);
518 if (status
!= SUCCESS
)
520 this->logger
->log(this->logger
, ERROR
, "Could not get current proposal needed to copy");
521 proposal_iterator
->destroy(proposal_iterator
);
522 sa_payload
->destroy(sa_payload
);
525 status
= current_proposal
->clone(current_proposal
,¤t_proposal_clone
);
526 if (status
!= SUCCESS
)
528 this->logger
->log(this->logger
, ERROR
, "Could not clone current proposal");
529 proposal_iterator
->destroy(proposal_iterator
);
530 sa_payload
->destroy(sa_payload
);
534 status
= sa_payload
->add_proposal_substructure(sa_payload
,current_proposal_clone
);
535 if (status
!= SUCCESS
)
537 this->logger
->log(this->logger
, ERROR
, "Could not add cloned proposal to SA payload");
538 proposal_iterator
->destroy(proposal_iterator
);
539 sa_payload
->destroy(sa_payload
);
545 proposal_iterator
->destroy(proposal_iterator
);
547 this->logger
->log(this->logger
, CONTROL
|MORE
, "sa payload builded");
549 *payload
= (payload_t
*) sa_payload
;
555 * implements private_initiator_init_t.build_ke_payload
557 static status_t
build_ke_payload(private_responder_init_t
*this, payload_t
**payload
)
559 ke_payload_t
*ke_payload
;
563 this->logger
->log(this->logger
, CONTROL
|MORE
, "building ke payload");
566 this ->logger
->log(this->logger
, CONTROL
|MORE
, "get public dh value to send in ke payload");
567 status
= this->diffie_hellman
->get_my_public_value(this->diffie_hellman
,&key_data
);
568 if (status
!= SUCCESS
)
570 this->logger
->log(this->logger
, ERROR
, "Could not get my DH public value");
574 ke_payload
= ke_payload_create();
575 if (ke_payload
== NULL
)
577 this->logger
->log(this->logger
, ERROR
, "Could not create KE payload");
578 allocator_free_chunk(key_data
);
581 ke_payload
->set_dh_group_number(ke_payload
, MODP_1024_BIT
);
582 if (ke_payload
->set_key_exchange_data(ke_payload
, key_data
) != SUCCESS
)
584 this->logger
->log(this->logger
, ERROR
, "Could not set key exchange data of KE payload");
585 ke_payload
->destroy(ke_payload
);
586 allocator_free_chunk(key_data
);
589 allocator_free_chunk(key_data
);
591 *payload
= (payload_t
*) ke_payload
;
596 * implements private_initiator_init_t.build_nonce_payload
598 static status_t
build_nonce_payload(private_responder_init_t
*this, payload_t
**payload
)
600 nonce_payload_t
*nonce_payload
;
603 this->logger
->log(this->logger
, CONTROL
|MORE
, "building nonce payload");
605 nonce_payload
= nonce_payload_create();
606 if (nonce_payload
== NULL
)
608 this->logger
->log(this->logger
, ERROR
, "Fatal error: could not create nonce payload object");
612 status
= nonce_payload
->set_nonce(nonce_payload
, this->sent_nonce
);
614 if (status
!= SUCCESS
)
616 this->logger
->log(this->logger
, ERROR
, "Fatal error: could not set nonce data of payload");
617 nonce_payload
->destroy(nonce_payload
);
621 *payload
= (payload_t
*) nonce_payload
;
628 * Implements state_t.get_state
630 static ike_sa_state_t
get_state(private_responder_init_t
*this)
632 return RESPONDER_INIT
;
636 * Implements state_t.get_state
638 static status_t
destroy(private_responder_init_t
*this)
640 this->logger
->log(this->logger
, CONTROL
| MORE
, "Going to destroy responder init state object");
642 /* destroy stored proposal */
643 this->logger
->log(this->logger
, CONTROL
| MOST
, "Destroy stored proposals");
644 while (this->proposals
->get_count(this->proposals
) > 0)
646 proposal_substructure_t
*current_proposal
;
647 this->proposals
->remove_first(this->proposals
,(void **)¤t_proposal
);
648 current_proposal
->destroy(current_proposal
);
650 this->proposals
->destroy(this->proposals
);
652 if (this->sent_nonce
.ptr
!= NULL
)
654 this->logger
->log(this->logger
, CONTROL
| MOST
, "Destroy sent nonce");
655 allocator_free(this->sent_nonce
.ptr
);
658 if (this->received_nonce
.ptr
!= NULL
)
660 this->logger
->log(this->logger
, CONTROL
| MOST
, "Destroy received nonce");
661 allocator_free(this->received_nonce
.ptr
);
664 /* destroy diffie hellman object */
665 if (this->diffie_hellman
!= NULL
)
667 this->logger
->log(this->logger
, CONTROL
| MOST
, "Destroy diffie_hellman_t object");
668 this->diffie_hellman
->destroy(this->diffie_hellman
);
671 allocator_free(this);
678 * Implements private_responder_init_t.destroy_after_state_change
680 static status_t
destroy_after_state_change (private_responder_init_t
*this)
682 this->logger
->log(this->logger
, CONTROL
| MORE
, "Going to destroy responder_init_t state object");
684 /* destroy stored proposal */
685 this->logger
->log(this->logger
, CONTROL
| MOST
, "Destroy stored proposals");
686 while (this->proposals
->get_count(this->proposals
) > 0)
688 proposal_substructure_t
*current_proposal
;
689 this->proposals
->remove_first(this->proposals
,(void **)¤t_proposal
);
690 current_proposal
->destroy(current_proposal
);
692 this->proposals
->destroy(this->proposals
);
694 /* destroy diffie hellman object */
695 if (this->diffie_hellman
!= NULL
)
697 this->logger
->log(this->logger
, CONTROL
| MOST
, "Destroy diffie_hellman_t object");
698 this->diffie_hellman
->destroy(this->diffie_hellman
);
701 allocator_free(this);
706 * Described in header.
708 responder_init_t
*responder_init_create(protected_ike_sa_t
*ike_sa
)
710 private_responder_init_t
*this = allocator_alloc_thing(private_responder_init_t
);
717 /* interface functions */
718 this->public.state_interface
.process_message
= (status_t (*) (state_t
*,message_t
*,state_t
**)) process_message
;
719 this->public.state_interface
.get_state
= (ike_sa_state_t (*) (state_t
*)) get_state
;
720 this->public.state_interface
.destroy
= (status_t (*) (state_t
*)) destroy
;
722 /* private functions */
723 this->build_sa_payload
= build_sa_payload
;
724 this->build_ke_payload
= build_ke_payload
;
725 this->build_nonce_payload
= build_nonce_payload
;
726 this->destroy_after_state_change
= destroy_after_state_change
;
729 this->ike_sa
= ike_sa
;
730 this->logger
= this->ike_sa
->logger
;
731 this->sent_nonce
.ptr
= NULL
;
732 this->sent_nonce
.len
= 0;
733 this->received_nonce
.ptr
= NULL
;
734 this->received_nonce
.len
= 0;
735 this->proposals
= linked_list_create();
736 if (this->proposals
== NULL
)
738 allocator_free(this);
742 return &(this->public);