2 * @file responder_init.c
4 * @brief Start state of a IKE_SA as responder
9 * Copyright (C) 2005 Jan Hutter, Martin Willi
10 * Hochschule fuer Technik Rapperswil
12 * This program is free software; you can redistribute it and/or modify it
13 * under the terms of the GNU General Public License as published by the
14 * Free Software Foundation; either version 2 of the License, or (at your
15 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
17 * This program is distributed in the hope that it will be useful, but
18 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
19 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
23 #include "responder_init.h"
25 #include "ike_sa_init_responded.h"
26 #include "../globals.h"
27 #include "../utils/allocator.h"
28 #include "../payloads/sa_payload.h"
29 #include "../payloads/ke_payload.h"
30 #include "../payloads/nonce_payload.h"
31 #include "../transforms/diffie_hellman.h"
34 * Private data of a responder_init_t object.
37 typedef struct private_responder_init_s private_responder_init_t
;
38 struct private_responder_init_s
{
40 * Methods of the state_t interface.
42 responder_init_t
public;
47 protected_ike_sa_t
*ike_sa
;
50 * Diffie Hellman object used to compute shared secret.
52 * After processing of incoming IKE_SA_INIT-Request the shared key is
53 * passed to the next state of type ike_sa_init_responded_t.
55 diffie_hellman_t
*diffie_hellman
;
58 * Diffie Hellman group number.
60 u_int16_t dh_group_number
;
63 * Priority used to get matching dh_group number.
65 u_int16_t dh_group_priority
;
70 * This value is passed to the next state of type ike_sa_init_responded_t.
75 * Received nonce value
77 * This value is passed to the next state of type ike_sa_init_responded_t.
79 chunk_t received_nonce
;
82 * Logger used to log data
84 * Is logger of ike_sa!
89 * Proposals used to initiate connection
91 linked_list_t
*proposals
;
94 * Builds the SA payload for this state.
96 * @param this calling object
97 * @param payload The generated SA payload object of type ke_payload_t is
98 * stored at this location.
103 status_t (*build_sa_payload
) (private_responder_init_t
*this, payload_t
**payload
);
106 * Builds the KE payload for this state.
108 * @param this calling object
109 * @param payload The generated KE payload object of type ke_payload_t is
110 * stored at this location.
115 status_t (*build_ke_payload
) (private_responder_init_t
*this, payload_t
**payload
);
117 * Builds the NONCE payload for this state.
119 * @param this calling object
120 * @param payload The generated NONCE payload object of type ke_payload_t is
121 * stored at this location.
126 status_t (*build_nonce_payload
) (private_responder_init_t
*this, payload_t
**payload
);
129 * Destroy function called internally of this class after state change succeeded.
131 * This destroy function does not destroy objects which were passed to the new state.
133 * @param this calling object
134 * @return SUCCESS in any case
136 status_t (*destroy_after_state_change
) (private_responder_init_t
*this);
140 * Implements state_t.get_state
142 static status_t
process_message(private_responder_init_t
*this, message_t
*message
, state_t
**new_state
)
144 linked_list_iterator_t
*payloads
;
145 host_t
*source
, *destination
;
150 chunk_t shared_secret
;
151 exchange_type_t exchange_type
;
152 ike_sa_init_responded_t
*next_state
;
154 exchange_type
= message
->get_exchange_type(message
);
155 if (exchange_type
!= IKE_SA_INIT
)
157 this->logger
->log(this->logger
, ERROR
| MORE
, "Message of type %s not supported in state responder_init",mapping_find(exchange_type_m
,exchange_type
));
161 if (!message
->get_request(message
))
163 this->logger
->log(this->logger
, ERROR
| MORE
, "Only requests of type IKE_SA_INIT supported in state responder_init");
167 /* this is the first message we process, so copy host infos */
168 message
->get_source(message
, &source
);
169 message
->get_destination(message
, &destination
);
171 /* we need to clone them, since we destroy the message later */
172 destination
->clone(destination
, &(this->ike_sa
->me
.host
));
173 source
->clone(source
, &(this->ike_sa
->other
.host
));
175 /* parse incoming message */
176 status
= message
->parse_body(message
);
177 if (status
!= SUCCESS
)
179 this->logger
->log(this->logger
, ERROR
| MORE
, "Could not parse body of request message");
183 /* iterate over incoming payloads. We can be sure, the message contains only accepted payloads! */
184 status
= message
->get_payload_iterator(message
, &payloads
);
185 if (status
!= SUCCESS
)
187 this->logger
->log(this->logger
, ERROR
, "Fatal error: Could not get payload interator");
191 while (payloads
->has_next(payloads
))
195 /* get current payload */
196 payloads
->current(payloads
, (void**)&payload
);
198 this->logger
->log(this->logger
, CONTROL
|MORE
, "Processing payload of type %s", mapping_find(payload_type_m
, payload
->get_type(payload
)));
199 switch (payload
->get_type(payload
))
201 case SECURITY_ASSOCIATION
:
203 sa_payload_t
*sa_payload
= (sa_payload_t
*)payload
;
204 linked_list_iterator_t
*suggested_proposals
, *accepted_proposals
;
206 status
= this->proposals
->create_iterator(this->proposals
, &accepted_proposals
, FALSE
);
207 if (status
!= SUCCESS
)
209 this->logger
->log(this->logger
, ERROR
, "Fatal error: Could not create iterator on list for proposals");
210 payloads
->destroy(payloads
);
214 /* get the list of suggested proposals */
215 status
= sa_payload
->create_proposal_substructure_iterator(sa_payload
, &suggested_proposals
, TRUE
);
216 if (status
!= SUCCESS
)
218 this->logger
->log(this->logger
, ERROR
, "Fatal error: Could not create iterator on suggested proposals");
219 accepted_proposals
->destroy(accepted_proposals
);
220 payloads
->destroy(payloads
);
224 /* now let the configuration-manager select a subset of the proposals */
225 status
= global_configuration_manager
->select_proposals_for_host(global_configuration_manager
,
226 this->ike_sa
->other
.host
, suggested_proposals
, accepted_proposals
);
227 if (status
!= SUCCESS
)
229 this->logger
->log(this->logger
, CONTROL
| MORE
, "No proposal of suggested proposals selected");
230 suggested_proposals
->destroy(suggested_proposals
);
231 accepted_proposals
->destroy(accepted_proposals
);
232 payloads
->destroy(payloads
);
236 /* iterators are not needed anymore */
237 suggested_proposals
->destroy(suggested_proposals
);
238 accepted_proposals
->destroy(accepted_proposals
);
240 this->logger
->log(this->logger
, CONTROL
| MORE
, "SA Payload processed");
241 /* ok, we have what we need for sa_payload (proposals are stored in this->proposals)*/
246 ke_payload_t
*ke_payload
= (ke_payload_t
*)payload
;
247 diffie_hellman_group_t group
;
248 diffie_hellman_t
*dh
;
251 group
= ke_payload
->get_dh_group_number(ke_payload
);
253 status
= global_configuration_manager
->is_dh_group_allowed_for_host(global_configuration_manager
,
254 this->ike_sa
->other
.host
, group
, &allowed_group
);
256 if (status
!= SUCCESS
)
258 this->logger
->log(this->logger
, ERROR
| MORE
, "Could not get informations about DH group");
259 payloads
->destroy(payloads
);
264 /** @todo Send info reply */
267 /* create diffie hellman object to handle DH exchange */
268 dh
= diffie_hellman_create(group
);
271 this->logger
->log(this->logger
, ERROR
, "Could not generate DH object");
272 payloads
->destroy(payloads
);
276 this->logger
->log(this->logger
, CONTROL
| MORE
, "Set other DH public value");
278 status
= dh
->set_other_public_value(dh
, ke_payload
->get_key_exchange_data(ke_payload
));
279 if (status
!= SUCCESS
)
281 this->logger
->log(this->logger
, ERROR
, "Could not set other DH public value");
283 payloads
->destroy(payloads
);
287 this->diffie_hellman
= dh
;
289 this->logger
->log(this->logger
, CONTROL
| MORE
, "KE Payload processed");
294 nonce_payload_t
*nonce_payload
= (nonce_payload_t
*)payload
;
296 if (this->received_nonce
.ptr
!= NULL
)
298 this->logger
->log(this->logger
, CONTROL
| MOST
, "Destroy stored received nonce");
299 allocator_free(this->received_nonce
.ptr
);
300 this->received_nonce
.ptr
= NULL
;
301 this->received_nonce
.len
= 0;
304 this->logger
->log(this->logger
, CONTROL
| MORE
, "Get nonce value and store it");
305 status
= nonce_payload
->get_nonce(nonce_payload
, &(this->received_nonce
));
306 if (status
!= SUCCESS
)
308 this->logger
->log(this->logger
, ERROR
, "Fatal error: Could not get nonce");
309 payloads
->destroy(payloads
);
313 this->logger
->log(this->logger
, CONTROL
| MORE
, "Nonce Payload processed");
318 this->logger
->log(this->logger
, ERROR
| MORE
, "Payload type not supported!");
319 payloads
->destroy(payloads
);
326 /* iterator can be destroyed */
327 payloads
->destroy(payloads
);
329 this->logger
->log(this->logger
, CONTROL
| MORE
, "Request successfully handled. Going to create reply.");
331 this->logger
->log(this->logger
, CONTROL
| MOST
, "Going to create nonce.");
332 if (this->ike_sa
->randomizer
->allocate_pseudo_random_bytes(this->ike_sa
->randomizer
, NONCE_SIZE
, &(this->sent_nonce
)) != SUCCESS
)
334 this->logger
->log(this->logger
, ERROR
, "Could not create nonce!");
339 /* set up the reply */
340 status
= this->ike_sa
->build_message(this->ike_sa
, IKE_SA_INIT
, FALSE
, &response
);
341 if (status
!= SUCCESS
)
343 this->logger
->log(this->logger
, ERROR
, "Could not create empty message");
347 /* build SA payload */
348 status
= this->build_sa_payload(this, &payload
);
349 if (status
!= SUCCESS
)
351 this->logger
->log(this->logger
, ERROR
, "Could not build SA payload");
355 this ->logger
->log(this->logger
, CONTROL
|MOST
, "add SA payload to message");
356 status
= response
->add_payload(response
, payload
);
357 if (status
!= SUCCESS
)
359 this->logger
->log(this->logger
, ERROR
, "Could not add SA payload to message");
363 /* build KE payload */
364 status
= this->build_ke_payload(this,&payload
);
365 if (status
!= SUCCESS
)
367 this->logger
->log(this->logger
, ERROR
, "Could not build KE payload");
371 this ->logger
->log(this->logger
, CONTROL
|MOST
, "add KE payload to message");
372 status
= response
->add_payload(response
, payload
);
373 if (status
!= SUCCESS
)
375 this->logger
->log(this->logger
, ERROR
, "Could not add KE payload to message");
379 /* build Nonce payload */
380 status
= this->build_nonce_payload(this, &payload
);
381 if (status
!= SUCCESS
)
383 this->logger
->log(this->logger
, ERROR
, "Could not build NONCE payload");
387 this ->logger
->log(this->logger
, CONTROL
|MOST
, "add nonce payload to message");
388 status
= response
->add_payload(response
, payload
);
389 if (status
!= SUCCESS
)
391 this->logger
->log(this->logger
, ERROR
, "Could not add nonce payload to message");
395 /* generate packet */
396 this ->logger
->log(this->logger
, CONTROL
|MOST
, "generate packet from message");
397 status
= response
->generate(response
, &packet
);
398 if (status
!= SUCCESS
)
400 this->logger
->log(this->logger
, ERROR
, "Fatal error: could not generate packet from message");
404 this ->logger
->log(this->logger
, CONTROL
|MOST
, "Add packet to global send queue");
405 status
= global_send_queue
->add(global_send_queue
, packet
);
406 if (status
!= SUCCESS
)
408 this->logger
->log(this->logger
, ERROR
, "Could not add packet to send queue");
412 status
= this->diffie_hellman
->get_shared_secret(this->diffie_hellman
, &shared_secret
);
413 this->logger
->log_chunk(this->logger
, PRIVATE
, "Shared secret", &shared_secret
);
416 /* state can now be changed */
417 this ->logger
->log(this->logger
, CONTROL
|MOST
, "Create next state object");
419 next_state
= ike_sa_init_responded_create(this->ike_sa
, shared_secret
, this->received_nonce
, this->sent_nonce
);
421 if (next_state
== NULL
)
423 this ->logger
->log(this->logger
, ERROR
, "Fatal error: could not create next state object of type ike_sa_init_responded_t");
424 allocator_free_chunk(shared_secret
);
428 if ( this->ike_sa
->last_responded_message
!= NULL
)
430 /* destroy message */
431 this ->logger
->log(this->logger
, CONTROL
|MOST
, "Destroy stored last responded message");
432 this->ike_sa
->last_responded_message
->destroy(this->ike_sa
->last_responded_message
);
434 this->ike_sa
->last_responded_message
= response
;
436 /* message counter can now be increased */
437 this ->logger
->log(this->logger
, CONTROL
|MOST
, "Increate message counter for incoming messages");
438 this->ike_sa
->message_id_in
++;
440 *new_state
= (state_t
*) next_state
;
441 /* state has NOW changed :-) */
442 this ->logger
->log(this->logger
, CONTROL
|MORE
, "Changed state of IKE_SA from %s to %s",mapping_find(ike_sa_state_m
,RESPONDER_INIT
),mapping_find(ike_sa_state_m
,IKE_SA_INIT_RESPONDED
) );
444 this ->logger
->log(this->logger
, CONTROL
|MOST
, "Destroy old sate object");
445 this->destroy_after_state_change(this);
451 * implements private_initiator_init_t.build_sa_payload
453 static status_t
build_sa_payload(private_responder_init_t
*this, payload_t
**payload
)
455 sa_payload_t
* sa_payload
;
456 linked_list_iterator_t
*proposal_iterator
;
460 /* SA payload takes proposals from this->ike_sa_init_data.proposals and writes them to the created sa_payload */
462 this->logger
->log(this->logger
, CONTROL
|MORE
, "building sa payload");
464 status
= this->proposals
->create_iterator(this->proposals
, &proposal_iterator
, FALSE
);
465 if (status
!= SUCCESS
)
467 this->logger
->log(this->logger
, ERROR
, "Fatal error: Could not create iterator on list for proposals");
471 sa_payload
= sa_payload_create();
472 if (sa_payload
== NULL
)
474 this->logger
->log(this->logger
, ERROR
, "Fatal error: Could not create SA payload object");
478 while (proposal_iterator
->has_next(proposal_iterator
))
480 proposal_substructure_t
*current_proposal
;
481 proposal_substructure_t
*current_proposal_clone
;
482 status
= proposal_iterator
->current(proposal_iterator
,(void **) ¤t_proposal
);
483 if (status
!= SUCCESS
)
485 this->logger
->log(this->logger
, ERROR
, "Could not get current proposal needed to copy");
486 proposal_iterator
->destroy(proposal_iterator
);
487 sa_payload
->destroy(sa_payload
);
490 status
= current_proposal
->clone(current_proposal
,¤t_proposal_clone
);
491 if (status
!= SUCCESS
)
493 this->logger
->log(this->logger
, ERROR
, "Could not clone current proposal");
494 proposal_iterator
->destroy(proposal_iterator
);
495 sa_payload
->destroy(sa_payload
);
499 status
= sa_payload
->add_proposal_substructure(sa_payload
,current_proposal_clone
);
500 if (status
!= SUCCESS
)
502 this->logger
->log(this->logger
, ERROR
, "Could not add cloned proposal to SA payload");
503 proposal_iterator
->destroy(proposal_iterator
);
504 sa_payload
->destroy(sa_payload
);
510 proposal_iterator
->destroy(proposal_iterator
);
512 this->logger
->log(this->logger
, CONTROL
|MORE
, "sa payload builded");
514 *payload
= (payload_t
*) sa_payload
;
520 * implements private_initiator_init_t.build_ke_payload
522 static status_t
build_ke_payload(private_responder_init_t
*this, payload_t
**payload
)
524 ke_payload_t
*ke_payload
;
528 this->logger
->log(this->logger
, CONTROL
|MORE
, "building ke payload");
531 this ->logger
->log(this->logger
, CONTROL
|MORE
, "get public dh value to send in ke payload");
532 status
= this->diffie_hellman
->get_my_public_value(this->diffie_hellman
,&key_data
);
533 if (status
!= SUCCESS
)
535 this->logger
->log(this->logger
, ERROR
, "Could not get my DH public value");
539 ke_payload
= ke_payload_create();
540 if (ke_payload
== NULL
)
542 this->logger
->log(this->logger
, ERROR
, "Could not create KE payload");
543 allocator_free_chunk(key_data
);
546 ke_payload
->set_dh_group_number(ke_payload
, MODP_1024_BIT
);
547 if (ke_payload
->set_key_exchange_data(ke_payload
, key_data
) != SUCCESS
)
549 this->logger
->log(this->logger
, ERROR
, "Could not set key exchange data of KE payload");
550 ke_payload
->destroy(ke_payload
);
551 allocator_free_chunk(key_data
);
554 allocator_free_chunk(key_data
);
556 *payload
= (payload_t
*) ke_payload
;
561 * implements private_initiator_init_t.build_nonce_payload
563 static status_t
build_nonce_payload(private_responder_init_t
*this, payload_t
**payload
)
565 nonce_payload_t
*nonce_payload
;
568 this->logger
->log(this->logger
, CONTROL
|MORE
, "building nonce payload");
570 nonce_payload
= nonce_payload_create();
571 if (nonce_payload
== NULL
)
573 this->logger
->log(this->logger
, ERROR
, "Fatal error: could not create nonce payload object");
577 status
= nonce_payload
->set_nonce(nonce_payload
, this->sent_nonce
);
579 if (status
!= SUCCESS
)
581 this->logger
->log(this->logger
, ERROR
, "Fatal error: could not set nonce data of payload");
582 nonce_payload
->destroy(nonce_payload
);
586 *payload
= (payload_t
*) nonce_payload
;
593 * Implements state_t.get_state
595 static ike_sa_state_t
get_state(private_responder_init_t
*this)
597 return RESPONDER_INIT
;
601 * Implements state_t.get_state
603 static status_t
destroy(private_responder_init_t
*this)
605 this->logger
->log(this->logger
, CONTROL
| MORE
, "Going to destroy responder init state object");
607 /* destroy stored proposal */
608 this->logger
->log(this->logger
, CONTROL
| MOST
, "Destroy stored proposals");
609 while (this->proposals
->get_count(this->proposals
) > 0)
611 proposal_substructure_t
*current_proposal
;
612 this->proposals
->remove_first(this->proposals
,(void **)¤t_proposal
);
613 current_proposal
->destroy(current_proposal
);
615 this->proposals
->destroy(this->proposals
);
617 if (this->sent_nonce
.ptr
!= NULL
)
619 this->logger
->log(this->logger
, CONTROL
| MOST
, "Destroy sent nonce");
620 allocator_free(this->sent_nonce
.ptr
);
623 if (this->received_nonce
.ptr
!= NULL
)
625 this->logger
->log(this->logger
, CONTROL
| MOST
, "Destroy received nonce");
626 allocator_free(this->received_nonce
.ptr
);
629 /* destroy diffie hellman object */
630 if (this->diffie_hellman
!= NULL
)
632 this->logger
->log(this->logger
, CONTROL
| MOST
, "Destroy diffie_hellman_t object");
633 this->diffie_hellman
->destroy(this->diffie_hellman
);
636 allocator_free(this);
643 * Implements private_responder_init_t.destroy_after_state_change
645 static status_t
destroy_after_state_change (private_responder_init_t
*this)
647 this->logger
->log(this->logger
, CONTROL
| MORE
, "Going to destroy responder_init_t state object");
649 /* destroy stored proposal */
650 this->logger
->log(this->logger
, CONTROL
| MOST
, "Destroy stored proposals");
651 while (this->proposals
->get_count(this->proposals
) > 0)
653 proposal_substructure_t
*current_proposal
;
654 this->proposals
->remove_first(this->proposals
,(void **)¤t_proposal
);
655 current_proposal
->destroy(current_proposal
);
657 this->proposals
->destroy(this->proposals
);
659 /* destroy diffie hellman object */
660 if (this->diffie_hellman
!= NULL
)
662 this->logger
->log(this->logger
, CONTROL
| MOST
, "Destroy diffie_hellman_t object");
663 this->diffie_hellman
->destroy(this->diffie_hellman
);
666 allocator_free(this);
671 * Described in header.
673 responder_init_t
*responder_init_create(protected_ike_sa_t
*ike_sa
)
675 private_responder_init_t
*this = allocator_alloc_thing(private_responder_init_t
);
682 /* interface functions */
683 this->public.state_interface
.process_message
= (status_t (*) (state_t
*,message_t
*,state_t
**)) process_message
;
684 this->public.state_interface
.get_state
= (ike_sa_state_t (*) (state_t
*)) get_state
;
685 this->public.state_interface
.destroy
= (status_t (*) (state_t
*)) destroy
;
687 /* private functions */
688 this->build_sa_payload
= build_sa_payload
;
689 this->build_ke_payload
= build_ke_payload
;
690 this->build_nonce_payload
= build_nonce_payload
;
691 this->destroy_after_state_change
= destroy_after_state_change
;
694 this->ike_sa
= ike_sa
;
695 this->logger
= this->ike_sa
->logger
;
696 this->sent_nonce
.ptr
= NULL
;
697 this->sent_nonce
.len
= 0;
698 this->received_nonce
.ptr
= NULL
;
699 this->received_nonce
.len
= 0;
700 this->proposals
= linked_list_create();
701 if (this->proposals
== NULL
)
703 allocator_free(this);
707 return &(this->public);