- some logging improvements and cosmetics
[strongswan.git] / src / charon / sa / states / ike_auth_requested.c
1 /**
2 * @file ike_auth_requested.c
3 *
4 * @brief Implementation of ike_auth_requested_t.
5 *
6 */
7
8 /*
9 * Copyright (C) 2005 Jan Hutter, Martin Willi
10 * Hochschule fuer Technik Rapperswil
11 *
12 * This program is free software; you can redistribute it and/or modify it
13 * under the terms of the GNU General Public License as published by the
14 * Free Software Foundation; either version 2 of the License, or (at your
15 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
16 *
17 * This program is distributed in the hope that it will be useful, but
18 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
19 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
20 * for more details.
21 */
22
23 #include <string.h>
24
25 #include "ike_auth_requested.h"
26
27 #include <daemon.h>
28 #include <encoding/payloads/ts_payload.h>
29 #include <encoding/payloads/sa_payload.h>
30 #include <encoding/payloads/id_payload.h>
31 #include <encoding/payloads/auth_payload.h>
32 #include <encoding/payloads/notify_payload.h>
33 #include <crypto/signers/signer.h>
34 #include <crypto/crypters/crypter.h>
35 #include <sa/states/ike_sa_established.h>
36 #include <sa/authenticator.h>
37 #include <sa/child_sa.h>
38
39 typedef struct private_ike_auth_requested_t private_ike_auth_requested_t;
40
41 /**
42 * Private data of a ike_auth_requested_t object.
43 *
44 */
45 struct private_ike_auth_requested_t {
46 /**
47 * Public interface of ike_auth_requested_t.
48 */
49 ike_auth_requested_t public;
50
51 /**
52 * Assigned IKE_SA.
53 */
54 protected_ike_sa_t *ike_sa;
55
56 /**
57 * SA config, just a copy of the one stored in the ike_sa.
58 */
59 policy_t *policy;
60
61 /**
62 * Received nonce from responder.
63 */
64 chunk_t received_nonce;
65
66 /**
67 * Sent nonce in IKE_SA_INIT request.
68 */
69 chunk_t sent_nonce;
70
71 /**
72 * IKE_SA_INIT-Request in binary form.
73 */
74 chunk_t ike_sa_init_reply_data;
75
76 /**
77 * Proposal to setup CHILD_SA
78 */
79 proposal_t *proposal;
80
81 /**
82 * Traffic selectors applicable at our site
83 */
84 linked_list_t *my_ts;
85
86 /**
87 * Traffic selectors applicable at remote site
88 */
89 linked_list_t *other_ts;
90
91 /**
92 * Child sa created in ike_sa_init_requested
93 */
94 child_sa_t *child_sa;
95
96 /**
97 * Assigned Logger.
98 *
99 * Is logger of ike_sa!
100 */
101 logger_t *logger;
102
103 /**
104 * Process the IDr payload (check if other id is valid)
105 *
106 * @param this calling object
107 * @param idr_payload ID payload of responder
108 * @return
109 * - SUCCESS
110 * - DESTROY_ME
111 */
112 status_t (*process_idr_payload) (private_ike_auth_requested_t *this, id_payload_t *idr_payload);
113
114 /**
115 * Process the SA payload (check if selected proposals are valid, setup child sa)
116 *
117 * @param this calling object
118 * @param sa_payload SA payload of responder
119 *
120 * - SUCCESS
121 * - DESTROY_ME
122 */
123 status_t (*process_sa_payload) (private_ike_auth_requested_t *this, sa_payload_t *sa_payload);
124
125 /**
126 * Process the AUTH payload (check authenticity of message)
127 *
128 * @param this calling object
129 * @param auth_payload AUTH payload of responder
130 * @param other_id_payload ID payload of responder
131 *
132 * - SUCCESS
133 * - DESTROY_ME
134 */
135 status_t (*process_auth_payload) (private_ike_auth_requested_t *this, auth_payload_t *auth_payload, id_payload_t *other_id_payload);
136
137 /**
138 * Process the TS payload (check if selected traffic selectors are valid)
139 *
140 * @param this calling object
141 * @param ts_initiator TRUE if TS payload is TSi, FALSE for TSr
142 * @param ts_payload TS payload of responder
143 *
144 * - SUCCESS
145 * - DESTROY_ME
146 */
147 status_t (*process_ts_payload) (private_ike_auth_requested_t *this, bool ts_initiator, ts_payload_t *ts_payload);
148
149 /**
150 * Process a notify payload
151 *
152 * @param this calling object
153 * @param notify_payload notify payload
154 *
155 * - SUCCESS
156 * - FAILED
157 * - DESTROY_ME
158 */
159 status_t (*process_notify_payload) (private_ike_auth_requested_t *this, notify_payload_t *notify_payload);
160
161 /**
162 * Destroy function called internally of this class after state change to
163 * state IKE_SA_ESTABLISHED succeeded.
164 *
165 * This destroy function does not destroy objects which were passed to the new state.
166 *
167 * @param this calling object
168 */
169 void (*destroy_after_state_change) (private_ike_auth_requested_t *this);
170 };
171
172
173 /**
174 * Implements state_t.process_message
175 */
176 static status_t process_message(private_ike_auth_requested_t *this, message_t *ike_auth_reply)
177 {
178 ts_payload_t *tsi_payload = NULL, *tsr_payload = NULL;
179 id_payload_t *idr_payload = NULL;
180 auth_payload_t *auth_payload = NULL;
181 sa_payload_t *sa_payload = NULL;
182 iterator_t *payloads = NULL;
183 crypter_t *crypter = NULL;
184 signer_t *signer = NULL;
185 status_t status;
186 host_t *my_host, *other_host;
187 identification_t *my_id, *other_id;
188 chunk_t seed;
189 prf_plus_t *prf_plus;
190 connection_t *connection;
191
192 if (ike_auth_reply->get_exchange_type(ike_auth_reply) != IKE_AUTH)
193 {
194 this->logger->log(this->logger, ERROR | LEVEL1, "Message of type %s not supported in state ike_auth_requested",
195 mapping_find(exchange_type_m,ike_auth_reply->get_exchange_type(ike_auth_reply)));
196 return FAILED;
197 }
198
199 if (ike_auth_reply->get_request(ike_auth_reply))
200 {
201 this->logger->log(this->logger, ERROR | LEVEL1, "IKE_AUTH requests not allowed state ike_sa_init_responded");
202 return FAILED;
203 }
204
205 /* get signer for verification and crypter for decryption */
206 signer = this->ike_sa->get_signer_responder(this->ike_sa);
207 crypter = this->ike_sa->get_crypter_responder(this->ike_sa);
208
209 /* parse incoming message */
210 status = ike_auth_reply->parse_body(ike_auth_reply, crypter, signer);
211 if (status != SUCCESS)
212 {
213 this->logger->log(this->logger, AUDIT, "IKE_AUTH reply decryption failed. Ignoring message");
214 return status;
215 }
216
217 this->policy = this->ike_sa->get_policy(this->ike_sa);
218
219 /* we collect all payloads, which are processed later. Notify's are processed
220 * in place, since we don't know how may are there.
221 */
222 payloads = ike_auth_reply->get_payload_iterator(ike_auth_reply);
223 while (payloads->has_next(payloads))
224 {
225 payload_t *payload;
226 payloads->current(payloads, (void**)&payload);
227
228 switch (payload->get_type(payload))
229 {
230 case AUTHENTICATION:
231 {
232 auth_payload = (auth_payload_t*)payload;
233 break;
234 }
235 case ID_RESPONDER:
236 {
237 idr_payload = (id_payload_t*)payload;
238 break;
239 }
240 case SECURITY_ASSOCIATION:
241 {
242 sa_payload = (sa_payload_t*)payload;
243 break;
244 }
245 case TRAFFIC_SELECTOR_INITIATOR:
246 {
247 tsi_payload = (ts_payload_t*)payload;
248 break;
249 }
250 case TRAFFIC_SELECTOR_RESPONDER:
251 {
252 tsr_payload = (ts_payload_t*)payload;
253 break;
254 }
255 case NOTIFY:
256 {
257 notify_payload_t *notify_payload = (notify_payload_t *) payload;
258 /* handle the notify directly, abort if no further processing required */
259 status = this->process_notify_payload(this, notify_payload);
260 if (status != SUCCESS)
261 {
262 payloads->destroy(payloads);
263 return status;
264 }
265 }
266 case CERTIFICATE:
267 {
268 /* TODO handle cert payloads */
269 }
270 default:
271 {
272 this->logger->log(this->logger, ERROR|LEVEL1, "Ignoring Payload %s (%d)",
273 mapping_find(payload_type_m, payload->get_type(payload)), payload->get_type(payload));
274 break;
275 }
276 }
277 }
278 /* iterator can be destroyed */
279 payloads->destroy(payloads);
280
281 /* check if we have all payloads */
282 if (!(idr_payload && sa_payload && auth_payload && tsi_payload && tsr_payload))
283 {
284 this->logger->log(this->logger, AUDIT, "IKE_AUTH reply did not contain all required payloads. Deleting IKE_SA");
285 return DESTROY_ME;
286 }
287
288 /* process all payloads */
289 status = this->process_idr_payload(this, idr_payload);
290 if (status != SUCCESS)
291 {
292 return status;
293 }
294 status = this->process_auth_payload(this, auth_payload,idr_payload);
295 if (status != SUCCESS)
296 {
297 return status;
298 }
299 status = this->process_sa_payload(this, sa_payload);
300 if (status != SUCCESS)
301 {
302 return status;
303 }
304 status = this->process_ts_payload(this, TRUE, tsi_payload);
305 if (status != SUCCESS)
306 {
307 return status;
308 }
309 status = this->process_ts_payload(this, FALSE, tsr_payload);
310 if (status != SUCCESS)
311 {
312 return status;
313 }
314
315 /* install child SAs for AH and esp */
316 if (!this->child_sa)
317 {
318 this->logger->log(this->logger, CONTROL, "No CHILD_SA requested, no CHILD_SA built");
319 }
320 if (!this->proposal)
321 {
322 this->logger->log(this->logger, CONTROL, "Proposal negotiation failed, no CHILD_SA built");
323 this->child_sa->destroy(this->child_sa);
324 this->child_sa = NULL;
325 }
326 else if (this->my_ts->get_count(this->my_ts) == 0 || this->other_ts->get_count(this->other_ts) == 0)
327 {
328 this->logger->log(this->logger, CONTROL, "Traffic selector negotiation failed, no CHILD_SA built");
329 this->child_sa->destroy(this->child_sa);
330 this->child_sa = NULL;
331 }
332 else
333 {
334 seed = chunk_alloc(this->sent_nonce.len + this->received_nonce.len);
335 memcpy(seed.ptr, this->sent_nonce.ptr, this->sent_nonce.len);
336 memcpy(seed.ptr + this->sent_nonce.len, this->received_nonce.ptr, this->received_nonce.len);
337 prf_plus = prf_plus_create(this->ike_sa->get_child_prf(this->ike_sa), seed);
338 chunk_free(&seed);
339
340 status = this->child_sa->update(this->child_sa, this->proposal, prf_plus);
341 prf_plus->destroy(prf_plus);
342 if (status != SUCCESS)
343 {
344 this->logger->log(this->logger, AUDIT, "Could not install CHILD_SA! Deleting IKE_SA");
345 return DESTROY_ME;
346 }
347 status = this->child_sa->add_policies(this->child_sa, this->my_ts, this->other_ts);
348 if (status != SUCCESS)
349 {
350 this->logger->log(this->logger, AUDIT, "Could not install CHILD_SA policy! Deleting IKE_SA");
351 return DESTROY_ME;
352 }
353 this->ike_sa->add_child_sa(this->ike_sa, this->child_sa);
354 }
355
356 this->ike_sa->set_last_replied_message_id(this->ike_sa,ike_auth_reply->get_message_id(ike_auth_reply));
357
358 /* create new state */
359 this->ike_sa->set_new_state(this->ike_sa, (state_t*)ike_sa_established_create(this->ike_sa));
360 this->destroy_after_state_change(this);
361
362 connection = this->ike_sa->get_connection(this->ike_sa);
363 my_host = connection->get_my_host(connection);
364 other_host = connection->get_other_host(connection);
365 my_id = connection->get_my_id(connection);
366 other_id = connection->get_other_id(connection);
367 this->logger->log(this->logger, AUDIT, "IKE_SA established %s[%s]...%s[%s]",
368 my_host->get_address(my_host), my_id->get_string(my_id),
369 other_host->get_address(other_host), other_id->get_string(other_id));
370
371 return SUCCESS;
372 }
373
374 /**
375 * Implements private_ike_auth_requested_t.process_idr_payload
376 */
377 static status_t process_idr_payload(private_ike_auth_requested_t *this, id_payload_t *idr_payload)
378 {
379 identification_t *other_id, *configured_other_id;
380 connection_t *connection;
381
382 other_id = idr_payload->get_identification(idr_payload);
383 configured_other_id = this->policy->get_other_id(this->policy);
384
385 this->logger->log(this->logger, CONTROL|LEVEL1, "configured ID: %s, ID of responder: %s",
386 configured_other_id->get_string(configured_other_id),
387 other_id->get_string(other_id));
388
389 if (!other_id->belongs_to(other_id, configured_other_id))
390 {
391 other_id->destroy(other_id);
392 this->logger->log(this->logger, AUDIT, "IKE_AUTH reply contained a not acceptable ID. Deleting IKE_SA");
393 return DESTROY_ME;
394 }
395
396 connection = this->ike_sa->get_connection(this->ike_sa);
397 connection->update_other_id(connection, other_id->clone(other_id));
398
399 this->policy->update_other_id(this->policy, other_id);
400 return SUCCESS;
401 }
402
403 /**
404 * Implements private_ike_auth_requested_t.process_sa_payload
405 */
406 static status_t process_sa_payload(private_ike_auth_requested_t *this, sa_payload_t *sa_payload)
407 {
408 proposal_t *proposal, *proposal_tmp;
409 linked_list_t *proposal_list;
410
411 /* get his selected proposal */
412 proposal_list = sa_payload->get_proposals(sa_payload);
413 /* check count of proposals */
414 if (proposal_list->get_count(proposal_list) == 0)
415 {
416 /* no proposal? we accept this, but no child sa is built */
417 this->logger->log(this->logger, AUDIT, "IKE_AUTH reply's SA_PAYLOAD didn't contain any proposals. No CHILD_SA created",
418 proposal_list->get_count(proposal_list));
419 proposal_list->destroy(proposal_list);
420 return SUCCESS;
421 }
422 if (proposal_list->get_count(proposal_list) > 1)
423 {
424 this->logger->log(this->logger, AUDIT, "IKE_AUTH reply's SA_PAYLOAD contained %d proposal. Deleting IKE_SA",
425 proposal_list->get_count(proposal_list));
426 while (proposal_list->remove_last(proposal_list, (void**)&proposal) == SUCCESS)
427 {
428 proposal->destroy(proposal);
429 }
430 proposal_list->destroy(proposal_list);
431 return DESTROY_ME;
432 }
433
434 /* we have to re-check here if other's selection is valid */
435 proposal = this->policy->select_proposal(this->policy, proposal_list);
436 /* list not needed anymore */
437 while (proposal_list->remove_last(proposal_list, (void**)&proposal_tmp) == SUCCESS)
438 {
439 proposal_tmp->destroy(proposal_tmp);
440 }
441 proposal_list->destroy(proposal_list);
442 /* got a match? */
443 if (proposal == NULL)
444 {
445 this->logger->log(this->logger, AUDIT, "IKE_AUTH reply contained a not offered proposal. Deleting IKE_SA");
446 return DESTROY_ME;
447 }
448
449 /* apply proposal */
450 this->proposal = proposal;
451
452 return SUCCESS;
453 }
454
455 /**
456 * Implements private_ike_auth_requested_t.process_auth_payload
457 */
458 static status_t process_auth_payload(private_ike_auth_requested_t *this, auth_payload_t *auth_payload, id_payload_t *other_id_payload)
459 {
460 authenticator_t *authenticator;
461 status_t status;
462
463 authenticator = authenticator_create(this->ike_sa);
464 status = authenticator->verify_auth_data(authenticator,auth_payload,this->ike_sa_init_reply_data,this->sent_nonce,other_id_payload,FALSE);
465 authenticator->destroy(authenticator);
466 if (status != SUCCESS)
467 {
468 this->logger->log(this->logger, AUDIT, "Verification of IKE_AUTH reply failed. Deleting IKE_SA");
469 return DESTROY_ME;
470 }
471
472 this->logger->log(this->logger, CONTROL|LEVEL1, "AUTH data verified successfully");
473 return SUCCESS;
474 }
475
476 /**
477 * Implements private_ike_auth_requested_t.process_ts_payload
478 */
479 static status_t process_ts_payload(private_ike_auth_requested_t *this, bool ts_initiator, ts_payload_t *ts_payload)
480 {
481 linked_list_t *ts_received, *ts_selected;
482 traffic_selector_t *ts;
483
484 /* get ts form payload */
485 ts_received = ts_payload->get_traffic_selectors(ts_payload);
486 /* select ts depending on payload type */
487 if (ts_initiator)
488 {
489 ts_selected = this->policy->select_my_traffic_selectors(this->policy, ts_received);
490 this->my_ts = ts_selected;
491 }
492 else
493 {
494 ts_selected = this->policy->select_other_traffic_selectors(this->policy, ts_received);
495 this->other_ts = ts_selected;
496 }
497 /* check if the responder selected valid proposals */
498 if (ts_selected->get_count(ts_selected) != ts_received->get_count(ts_received))
499 {
500 this->logger->log(this->logger, AUDIT, "IKE_AUTH reply contained not offered traffic selectors.");
501 }
502
503 /* cleanup */
504 while (ts_received->remove_last(ts_received, (void**)&ts) == SUCCESS)
505 {
506 ts->destroy(ts);
507 }
508 ts_received->destroy(ts_received);
509
510 return SUCCESS;
511 }
512
513 /**
514 * Implements private_ike_auth_requested_t.process_notify_payload
515 */
516 static status_t process_notify_payload(private_ike_auth_requested_t *this, notify_payload_t *notify_payload)
517 {
518 notify_message_type_t notify_message_type = notify_payload->get_notify_message_type(notify_payload);
519
520 this->logger->log(this->logger, CONTROL|LEVEL1, "Process notify type %s",
521 mapping_find(notify_message_type_m, notify_message_type));
522
523 switch (notify_message_type)
524 {
525 case INVALID_SYNTAX:
526 {
527 this->logger->log(this->logger, AUDIT, "IKE_AUTH reply contained an INVALID_SYNTAX notify. Deleting IKE_SA");
528 return DESTROY_ME;
529
530 }
531 case AUTHENTICATION_FAILED:
532 {
533 this->logger->log(this->logger, AUDIT, "IKE_AUTH reply contained an AUTHENTICATION_FAILED notify. Deleting IKE_SA");
534 return DESTROY_ME;
535
536 }
537 case SINGLE_PAIR_REQUIRED:
538 {
539 this->logger->log(this->logger, AUDIT, "IKE_AUTH reply contained a SINGLE_PAIR_REQUIRED notify. Deleting IKE_SA");
540 return DESTROY_ME;
541 }
542 case TS_UNACCEPTABLE:
543 {
544 /* TODO: We currently check only the replied TS payloads, which should be empty. Should
545 * we interpret the notify additionaly? */
546 this->logger->log(this->logger, CONTROL, "IKE_AUTH reply contained a TS_UNACCEPTABLE notify. Ignored");
547 return SUCCESS;
548 }
549 case NO_PROPOSAL_CHOSEN:
550 {
551 /* TODO: We currently check only the replied SA payload, which should be empty. Should
552 * we interpret the notify additionaly? */
553 this->logger->log(this->logger, CONTROL, "IKE_AUTH reply contained a NO_PROPOSAL_CHOSEN notify. Ignored");
554 return SUCCESS;
555 }
556 default:
557 {
558 /*
559 * - In case of unknown error: IKE_SA gets destroyed.
560 * - In case of unknown status: logging
561 */
562
563 if (notify_message_type < 16383)
564 {
565 this->logger->log(this->logger, AUDIT, "IKE_AUTH reply contained an unknown notify error (%d). Deleting IKE_SA",
566 notify_message_type);
567 return DESTROY_ME;
568
569 }
570 else
571 {
572 this->logger->log(this->logger, CONTROL, "IKE_AUTH reply contained an unknown notify (%d), ignored.",
573 notify_message_type);
574 return SUCCESS;
575 }
576 }
577 }
578 }
579
580 /**
581 * Implements state_t.get_state
582 */
583 static ike_sa_state_t get_state(private_ike_auth_requested_t *this)
584 {
585 return IKE_AUTH_REQUESTED;
586 }
587
588 /**
589 * Implements state_t.get_state
590 */
591 static void destroy(private_ike_auth_requested_t *this)
592 {
593 chunk_free(&(this->received_nonce));
594 chunk_free(&(this->sent_nonce));
595 chunk_free(&(this->ike_sa_init_reply_data));
596 if (this->child_sa)
597 {
598 this->child_sa->destroy(this->child_sa);
599 }
600 if (this->my_ts)
601 {
602 traffic_selector_t *ts;
603 while (this->my_ts->remove_last(this->my_ts, (void**)&ts) == SUCCESS)
604 {
605 ts->destroy(ts);
606 }
607 this->my_ts->destroy(this->my_ts);
608 }
609 if (this->other_ts)
610 {
611 traffic_selector_t *ts;
612 while (this->other_ts->remove_last(this->other_ts, (void**)&ts) == SUCCESS)
613 {
614 ts->destroy(ts);
615 }
616 this->other_ts->destroy(this->other_ts);
617 }
618 if (this->proposal)
619 {
620 this->proposal->destroy(this->proposal);
621 }
622 free(this);
623 }
624 /**
625 * Implements protected_ike_sa_t.destroy_after_state_change
626 */
627 static void destroy_after_state_change(private_ike_auth_requested_t *this)
628 {
629 chunk_free(&(this->received_nonce));
630 chunk_free(&(this->sent_nonce));
631 chunk_free(&(this->ike_sa_init_reply_data));
632 if (this->my_ts)
633 {
634 traffic_selector_t *ts;
635 while (this->my_ts->remove_last(this->my_ts, (void**)&ts) == SUCCESS)
636 {
637 ts->destroy(ts);
638 }
639 this->my_ts->destroy(this->my_ts);
640 }
641 if (this->other_ts)
642 {
643 traffic_selector_t *ts;
644 while (this->other_ts->remove_last(this->other_ts, (void**)&ts) == SUCCESS)
645 {
646 ts->destroy(ts);
647 }
648 this->other_ts->destroy(this->other_ts);
649 }
650 if (this->proposal)
651 {
652 this->proposal->destroy(this->proposal);
653 }
654 free(this);
655 }
656
657 /*
658 * Described in header.
659 */
660 ike_auth_requested_t *ike_auth_requested_create(protected_ike_sa_t *ike_sa,chunk_t sent_nonce,chunk_t received_nonce,chunk_t ike_sa_init_reply_data, child_sa_t *child_sa)
661 {
662 private_ike_auth_requested_t *this = malloc_thing(private_ike_auth_requested_t);
663
664 /* interface functions */
665 this->public.state_interface.process_message = (status_t (*) (state_t *,message_t *)) process_message;
666 this->public.state_interface.get_state = (ike_sa_state_t (*) (state_t *)) get_state;
667 this->public.state_interface.destroy = (void (*) (state_t *)) destroy;
668
669 /* private functions */
670 this->process_idr_payload = process_idr_payload;
671 this->process_sa_payload = process_sa_payload;
672 this->process_auth_payload = process_auth_payload;
673 this->process_ts_payload = process_ts_payload;
674 this->process_notify_payload = process_notify_payload;
675 this->destroy_after_state_change = destroy_after_state_change;
676
677 /* private data */
678 this->ike_sa = ike_sa;
679 this->received_nonce = received_nonce;
680 this->sent_nonce = sent_nonce;
681 this->ike_sa_init_reply_data = ike_sa_init_reply_data;
682 this->logger = logger_manager->get_logger(logger_manager, IKE_SA);
683 this->my_ts = NULL;
684 this->other_ts = NULL;
685 this->proposal = NULL;
686 this->child_sa = child_sa;
687
688 return &(this->public);
689 }