support of cert payloads
[strongswan.git] / src / charon / sa / states / ike_sa_init_requested.c
1 /**
2 * @file ike_sa_init_requested.c
3 *
4 * @brief Implementation of ike_sa_init_requested_t.
5 *
6 */
7
8 /*
9 * Copyright (C) 2006 Tobias Brunner, Daniel Roethlisberger
10 * Copyright (C) 2005 Jan Hutter, Martin Willi
11 * Hochschule fuer Technik Rapperswil
12 *
13 * This program is free software; you can redistribute it and/or modify it
14 * under the terms of the GNU General Public License as published by the
15 * Free Software Foundation; either version 2 of the License, or (at your
16 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
17 *
18 * This program is distributed in the hope that it will be useful, but
19 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
20 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
21 * for more details.
22 */
23
24 #include "ike_sa_init_requested.h"
25
26 #include <daemon.h>
27 #include <encoding/payloads/sa_payload.h>
28 #include <encoding/payloads/ke_payload.h>
29 #include <encoding/payloads/nonce_payload.h>
30 #include <encoding/payloads/notify_payload.h>
31 #include <encoding/payloads/id_payload.h>
32 #include <encoding/payloads/cert_payload.h>
33 #include <encoding/payloads/certreq_payload.h>
34 #include <encoding/payloads/auth_payload.h>
35 #include <encoding/payloads/ts_payload.h>
36 #include <crypto/diffie_hellman.h>
37 #include <sa/states/ike_auth_requested.h>
38 #include <sa/states/initiator_init.h>
39 #include <sa/authenticator.h>
40
41
42 typedef struct private_ike_sa_init_requested_t private_ike_sa_init_requested_t;
43
44 /**
45 * Private data of a ike_sa_init_requested_t object.
46 *
47 */
48 struct private_ike_sa_init_requested_t {
49 /**
50 * Public interface of an ike_sa_init_requested_t object.
51 */
52 ike_sa_init_requested_t public;
53
54 /**
55 * Assigned IKE_SA
56 */
57 protected_ike_sa_t *ike_sa;
58
59 /**
60 * Diffie Hellman object used to compute shared secret.
61 */
62 diffie_hellman_t *diffie_hellman;
63
64 /**
65 * Sent nonce value.
66 */
67 chunk_t sent_nonce;
68
69 /**
70 * Received nonce
71 */
72 chunk_t received_nonce;
73
74 /**
75 * Selected proposal
76 */
77 proposal_t *proposal;
78
79 /**
80 * Packet data of ike_sa_init request
81 */
82 chunk_t ike_sa_init_request_data;
83
84 /**
85 * Created child sa, if any
86 */
87 child_sa_t *child_sa;
88
89 /**
90 * Assigned logger
91 *
92 * Is logger of ike_sa!
93 */
94 logger_t *logger;
95
96 /**
97 * Precomputed NAT-D hash for initiator.
98 */
99 chunk_t natd_hash_i;
100
101 /**
102 * Flag indicating that an initiator NAT-D hash matched.
103 */
104 bool natd_hash_i_matched;
105
106 /**
107 * NAT-D payload count for NAT_DETECTION_SOURCE_IP.
108 */
109 int natd_seen_i;
110
111 /**
112 * Precomputed NAT-D hash of responder.
113 */
114 chunk_t natd_hash_r;
115
116 /**
117 * Flag indicating that a responder NAT-D hash matched.
118 */
119 bool natd_hash_r_matched;
120
121 /**
122 * NAT-D payload count for NAT_DETECTION_DESTINATION_IP.
123 */
124 int natd_seen_r;
125
126
127 /**
128 * Process NONCE payload of IKE_SA_INIT response.
129 *
130 * @param this calling object
131 * @param nonce_payload NONCE payload to process
132 * @return SUCCESS in any case
133 */
134 status_t (*process_nonce_payload) (private_ike_sa_init_requested_t *this, nonce_payload_t *nonce_payload);
135
136 /**
137 * Process SA payload of IKE_SA_INIT response.
138 *
139 * @param this calling object
140 * @param sa_payload SA payload to process
141 * @return
142 * - SUCCESS
143 * - FAILED
144 */
145 status_t (*process_sa_payload) (private_ike_sa_init_requested_t *this, sa_payload_t *sa_payload);
146
147 /**
148 * Process KE payload of IKE_SA_INIT response.
149 *
150 * @param this calling object
151 * @param sa_payload KE payload to process
152 * @return
153 * - SUCCESS
154 * - FAILED
155 */
156 status_t (*process_ke_payload) (private_ike_sa_init_requested_t *this, ke_payload_t *ke_payload);
157
158 /**
159 * Build ID payload for IKE_AUTH request.
160 *
161 * @param this calling object
162 * @param[out] id_payload buildet ID payload
163 * @param msg created payload will be added to this message_t object
164 * @return
165 * - SUCCESS
166 * - FAILED
167 */
168 status_t (*build_id_payload) (private_ike_sa_init_requested_t *this,id_payload_t **id_payload, message_t *msg);
169
170 /**
171 * Build CERT payload for IKE_AUTH request.
172 *
173 * @param this calling object
174 * @param msg created payload will be added to this message_t object
175 * @return
176 * - SUCCESS
177 * - FAILED
178 */
179 status_t (*build_cert_payload) (private_ike_sa_init_requested_t *this, message_t *msg);
180
181 /**
182 * Build CERTREQ payload for IKE_AUTH request.
183 *
184 * @param this calling object
185 * @param msg created payload will be added to this message_t object
186 * @return
187 * - SUCCESS
188 * - FAILED
189 */
190 status_t (*build_certreq_payload) (private_ike_sa_init_requested_t *this, message_t *msg);
191
192 /**
193 * Build IDr payload for IKE_AUTH request.
194 *
195 * Only built when the ID of the responder contains no wildcards.
196 *
197 * @param this calling object
198 * @param msg created payload will be added to this message_t object
199 * @return
200 * - SUCCESS
201 * - FAILED
202 */
203 status_t (*build_idr_payload) (private_ike_sa_init_requested_t *this, message_t *msg);
204
205 /**
206 * Build AUTH payload for IKE_AUTH request.
207 *
208 * @param this calling object
209 * @param my_id_payload buildet ID payload
210 * @param msg created payload will be added to this message_t object
211 * @return
212 * - SUCCESS
213 * - FAILED
214 */
215 status_t (*build_auth_payload) (private_ike_sa_init_requested_t *this,id_payload_t *my_id_payload, message_t *msg);
216
217 /**
218 * Build SA payload for IKE_AUTH request.
219 *
220 * @param this calling object
221 * @param msg created payload will be added to this message_t object
222 * @return
223 * - SUCCESS
224 * - FAILED
225 */
226 status_t (*build_sa_payload) (private_ike_sa_init_requested_t *this, message_t *msg);
227
228 /**
229 * Build TSi payload for IKE_AUTH request.
230 *
231 * @param this calling object
232 * @param msg created payload will be added to this message_t object
233 * @return
234 * - SUCCESS
235 * - FAILED
236 */
237 status_t (*build_tsi_payload) (private_ike_sa_init_requested_t *this, message_t *msg);
238
239 /**
240 * Build TSr payload for IKE_AUTH request.
241 *
242 * @param this calling object
243 * @param msg created payload will be added to this message_t object
244 * @return
245 * - SUCCESS
246 * - FAILED
247 */
248 status_t (*build_tsr_payload) (private_ike_sa_init_requested_t *this, message_t *msg);
249
250 /**
251 * Process a notify payload and react.
252 *
253 * @param this calling object
254 * @param notify_payload notify_payload to handle
255 */
256 status_t (*process_notify_payload) (private_ike_sa_init_requested_t *this, notify_payload_t *notify_payload);
257
258 /**
259 * Destroy function called internally of this class after state change to
260 * state IKE_AUTH_REQUESTED succeeded.
261 *
262 * This destroy function does not destroy objects which were passed to the new state.
263 *
264 * @param this calling object
265 */
266 void (*destroy_after_state_change) (private_ike_sa_init_requested_t *this);
267 };
268
269 /**
270 * Implementation of state_t.process_message.
271 */
272 static status_t process_message(private_ike_sa_init_requested_t *this, message_t *ike_sa_init_reply)
273 {
274 ike_auth_requested_t *next_state;
275 chunk_t ike_sa_init_reply_data;
276 sa_payload_t *sa_payload = NULL;
277 ke_payload_t *ke_payload = NULL;
278 id_payload_t *id_payload = NULL;
279 nonce_payload_t *nonce_payload = NULL;
280 u_int64_t responder_spi;
281 ike_sa_id_t *ike_sa_id;
282 iterator_t *payloads;
283 host_t *me, *other;
284 connection_t *connection;
285 policy_t *policy;
286
287 message_t *request;
288 status_t status;
289
290 /*
291 * In this state a reply message of type IKE_SA_INIT is expected:
292 *
293 * <-- HDR, SAr1, KEr, Nr, [CERTREQ]
294 * or
295 * <-- HDR, N
296 */
297
298 if (ike_sa_init_reply->get_exchange_type(ike_sa_init_reply) != IKE_SA_INIT)
299 {
300 this->logger->log(this->logger, ERROR | LEVEL1, "message of type %s not supported in state ike_sa_init_requested",
301 mapping_find(exchange_type_m,ike_sa_init_reply->get_exchange_type(ike_sa_init_reply)));
302 return FAILED;
303 }
304
305 if (ike_sa_init_reply->get_request(ike_sa_init_reply))
306 {
307 this->logger->log(this->logger, ERROR | LEVEL1, "IKE_SA_INIT requests not allowed state ike_sa_init_responded");
308 return FAILED;
309 }
310
311 /* parse incoming message */
312 status = ike_sa_init_reply->parse_body(ike_sa_init_reply, NULL, NULL);
313 if (status != SUCCESS)
314 {
315 this->logger->log(this->logger, ERROR | LEVEL1, "IKE_SA_INIT reply parsing faild. Ignoring message");
316 return status;
317 }
318
319 /* because we are original initiator we have to update the responder SPI to the new one */
320 responder_spi = ike_sa_init_reply->get_responder_spi(ike_sa_init_reply);
321 if (responder_spi == 0)
322 {
323 this->logger->log(this->logger, ERROR | LEVEL1, "IKE_SA_INIT reply contained a SPI of zero");
324 return FAILED;
325 }
326 ike_sa_id = this->ike_sa->public.get_id(&(this->ike_sa->public));
327 ike_sa_id->set_responder_spi(ike_sa_id,responder_spi);
328
329 /*
330 * Precompute NAT-D hashes.
331 * Even though there SHOULD only be a single payload of each
332 * Notify type, we precompute both hashes.
333 */
334 this->natd_hash_i = this->ike_sa->generate_natd_hash(this->ike_sa,
335 ike_sa_init_reply->get_initiator_spi(ike_sa_init_reply),
336 ike_sa_init_reply->get_responder_spi(ike_sa_init_reply),
337 ike_sa_init_reply->get_source(ike_sa_init_reply));
338 this->natd_hash_i_matched = FALSE;
339 this->natd_seen_i = 0;
340 this->natd_hash_r = this->ike_sa->generate_natd_hash(this->ike_sa,
341 ike_sa_init_reply->get_initiator_spi(ike_sa_init_reply),
342 ike_sa_init_reply->get_responder_spi(ike_sa_init_reply),
343 ike_sa_init_reply->get_destination(ike_sa_init_reply));
344 this->natd_hash_r_matched = FALSE;
345 this->natd_seen_r = 0;
346 this->ike_sa->set_my_host_behind_nat(this->ike_sa, FALSE);
347 this->ike_sa->set_other_host_behind_nat(this->ike_sa, FALSE);
348
349 /* Iterate over all payloads.
350 *
351 * The message is already checked for the right payload types.
352 */
353 payloads = ike_sa_init_reply->get_payload_iterator(ike_sa_init_reply);
354 while (payloads->has_next(payloads))
355 {
356 payload_t *payload;
357 payloads->current(payloads, (void**)&payload);
358
359 switch (payload->get_type(payload))
360 {
361 case SECURITY_ASSOCIATION:
362 sa_payload = (sa_payload_t*)payload;
363 break;
364 case KEY_EXCHANGE:
365 ke_payload = (ke_payload_t*)payload;
366 break;
367 case NONCE:
368 nonce_payload = (nonce_payload_t*)payload;
369 break;
370 case NOTIFY:
371 {
372 notify_payload_t *notify_payload = (notify_payload_t *) payload;
373
374 status = this->process_notify_payload(this, notify_payload);
375 if (status != SUCCESS)
376 {
377 payloads->destroy(payloads);
378 return status;
379 }
380 break;
381 }
382 default:
383 this->logger->log(this->logger, ERROR|LEVEL1, "ignoring payload %s (%d)",
384 mapping_find(payload_type_m, payload->get_type(payload)), payload->get_type(payload));
385 break;
386 }
387
388 }
389 payloads->destroy(payloads);
390
391 if (!(nonce_payload && sa_payload && ke_payload))
392 {
393 this->logger->log(this->logger, AUDIT, "IKE_SA_INIT reply did not contain all required payloads. Deleting IKE_SA");
394 return DESTROY_ME;
395 }
396
397 status = this->process_nonce_payload (this,nonce_payload);
398 if (status != SUCCESS)
399 return status;
400
401 status = this->process_sa_payload (this,sa_payload);
402 if (status != SUCCESS)
403 return status;
404
405 status = this->process_ke_payload (this,ke_payload);
406 if (status != SUCCESS)
407 return status;
408
409 /* derive all the keys used in the IKE_SA */
410 status = this->ike_sa->build_transforms(this->ike_sa, this->proposal, this->diffie_hellman, this->sent_nonce, this->received_nonce);
411 if (status != SUCCESS)
412 {
413 this->logger->log(this->logger, AUDIT, "transform objects could not be created from selected proposal. Deleting IKE_SA");
414 return DESTROY_ME;
415 }
416
417 /* NAT-D */
418 if ((!this->natd_seen_i && this->natd_seen_r > 0)
419 || (this->natd_seen_i > 0 && !this->natd_seen_r))
420 {
421 this->logger->log(this->logger, AUDIT, "IKE_SA_INIT request contained wrong number of NAT-D payloads. Deleting IKE_SA");
422 return DESTROY_ME;
423 }
424 if (this->natd_seen_r > 1)
425 {
426 this->logger->log(this->logger, AUDIT, "warning: IKE_SA_INIT request contained multiple Notify(NAT_DETECTION_DESTINATION_IP) payloads.");
427 }
428 if (this->natd_seen_i > 0 && !this->natd_hash_i_matched)
429 {
430 this->logger->log(this->logger, AUDIT, "remote host is behind NAT, using NAT-Traversal");
431 this->ike_sa->set_other_host_behind_nat(this->ike_sa, TRUE);
432 }
433 if (this->natd_seen_r > 0 && !this->natd_hash_r_matched)
434 {
435 this->logger->log(this->logger, AUDIT, "local host is behind NAT, using NAT-Traversal");
436 this->ike_sa->set_my_host_behind_nat(this->ike_sa, TRUE);
437 }
438
439 /* apply the address on wich we really received the packet,
440 * and switch to port 4500 when using NAT-T and NAT was detected.
441 */
442 connection = this->ike_sa->get_connection(this->ike_sa);
443 me = ike_sa_init_reply->get_destination(ike_sa_init_reply);
444 other = ike_sa_init_reply->get_source(ike_sa_init_reply);
445
446 if (this->ike_sa->public.is_any_host_behind_nat((ike_sa_t*)this->ike_sa))
447 {
448 me->set_port(me, IKEV2_NATT_PORT);
449 other->set_port(other, IKEV2_NATT_PORT);
450 this->logger->log(this->logger, AUDIT, "switching to port %d.", IKEV2_NATT_PORT);
451 }
452 else
453 {
454 this->logger->log(this->logger, AUDIT, "no NAT detected, not using NAT-Traversal");
455 }
456
457 if (this->ike_sa->public.is_my_host_behind_nat(&this->ike_sa->public))
458 {
459 charon->event_queue->add_relative(charon->event_queue,
460 (job_t*)send_keepalive_job_create(this->ike_sa->public.get_id((ike_sa_t*)this->ike_sa)),
461 charon->configuration->get_keepalive_interval(charon->configuration));
462 }
463
464 status = this->ike_sa->update_connection_hosts(this->ike_sa, me, other);
465 if (status != SUCCESS)
466 return status;
467
468 policy = this->ike_sa->get_policy(this->ike_sa);
469 policy->update_my_ts(policy, me);
470 policy->update_other_ts(policy, other);
471
472 /* build empty message */
473 this->ike_sa->build_message(this->ike_sa, IKE_AUTH, TRUE, &request);
474
475 status = this->build_id_payload(this, &id_payload, request);
476 if (status != SUCCESS)
477 goto destroy_request;
478
479 status = this->build_cert_payload(this, request);
480 if (status != SUCCESS)
481 goto destroy_request;
482
483 status = this->build_certreq_payload(this, request);
484 if (status != SUCCESS)
485 goto destroy_request;
486
487 status = this->build_idr_payload(this, request);
488 if (status != SUCCESS)
489 goto destroy_request;
490
491 status = this->build_auth_payload(this, (id_payload_t*)id_payload, request);
492 if (status != SUCCESS)
493 goto destroy_request;
494
495 status = this->build_sa_payload(this, request);
496 if (status != SUCCESS)
497 goto destroy_request;
498
499 status = this->build_tsi_payload(this, request);
500 if (status != SUCCESS)
501 goto destroy_request;
502
503 status = this->build_tsr_payload(this, request);
504 if (status != SUCCESS)
505 goto destroy_request;
506
507 /* message can now be sent (must not be destroyed) */
508 status = this->ike_sa->send_request(this->ike_sa, request);
509 if (status != SUCCESS)
510 {
511 this->logger->log(this->logger, AUDIT, "unable to send IKE_AUTH request. Deleting IKE_SA");
512 request->destroy(request);
513 return DESTROY_ME;
514 }
515
516 this->ike_sa->set_last_replied_message_id(this->ike_sa,ike_sa_init_reply->get_message_id(ike_sa_init_reply));
517
518 ike_sa_init_reply_data = ike_sa_init_reply->get_packet_data(ike_sa_init_reply);
519
520 /* state can now be changed */
521 next_state = ike_auth_requested_create(this->ike_sa, this->sent_nonce, this->received_nonce,
522 ike_sa_init_reply_data, this->child_sa);
523 this->ike_sa->set_new_state(this->ike_sa,(state_t *) next_state);
524
525 this->destroy_after_state_change(this);
526 return SUCCESS;
527
528 destroy_request:
529 request->destroy(request);
530 return status;
531
532 }
533
534
535 /**
536 * Implementation of private_ike_sa_init_requested_t.process_nonce_payload.
537 */
538 status_t process_nonce_payload (private_ike_sa_init_requested_t *this, nonce_payload_t *nonce_payload)
539 {
540 free(this->received_nonce.ptr);
541 this->received_nonce = nonce_payload->get_nonce(nonce_payload);
542 return SUCCESS;
543 }
544
545
546 /**
547 * Implementation of private_ike_sa_init_requested_t.process_sa_payload.
548 */
549 status_t process_sa_payload (private_ike_sa_init_requested_t *this, sa_payload_t *sa_payload)
550 {
551 proposal_t *proposal;
552 linked_list_t *proposal_list;
553 connection_t *connection;
554
555 connection = this->ike_sa->get_connection(this->ike_sa);
556
557 /* get the list of selected proposals, the peer has to select only one proposal */
558 proposal_list = sa_payload->get_proposals (sa_payload);
559 if (proposal_list->get_count(proposal_list) != 1)
560 {
561 this->logger->log(this->logger, AUDIT, "IKE_SA_INIT response did not contain a single proposal. Deleting IKE_SA");
562 while (proposal_list->remove_last(proposal_list, (void**)&proposal) == SUCCESS)
563 {
564 proposal->destroy(proposal);
565 }
566 proposal_list->destroy(proposal_list);
567 return DESTROY_ME;
568 }
569
570 /* we have to re-check if the others selection is valid */
571 this->proposal = connection->select_proposal(connection, proposal_list);
572 while (proposal_list->remove_last(proposal_list, (void**)&proposal) == SUCCESS)
573 {
574 proposal->destroy(proposal);
575 }
576 proposal_list->destroy(proposal_list);
577
578 if (this->proposal == NULL)
579 {
580 this->logger->log(this->logger, AUDIT, "IKE_SA_INIT response contained selected proposal we did not offer. Deleting IKE_SA");
581 return DESTROY_ME;
582 }
583
584 return SUCCESS;
585 }
586
587 /**
588 * Implementation of private_ike_sa_init_requested_t.process_ke_payload.
589 */
590 status_t process_ke_payload (private_ike_sa_init_requested_t *this, ke_payload_t *ke_payload)
591 {
592 this->diffie_hellman->set_other_public_value(this->diffie_hellman, ke_payload->get_key_exchange_data(ke_payload));
593
594 return SUCCESS;
595 }
596
597 /**
598 * Implementation of private_ike_sa_init_requested_t.build_id_payload.
599 */
600 static status_t build_id_payload (private_ike_sa_init_requested_t *this,id_payload_t **id_payload, message_t *msg)
601 {
602 policy_t *policy;
603 identification_t *my_id;
604 id_payload_t *new_id_payload;
605
606 policy = this->ike_sa->get_policy(this->ike_sa);
607 my_id = policy->get_my_id(policy);
608 new_id_payload = id_payload_create_from_identification(TRUE, my_id);
609
610 this->logger->log(this->logger, CONTROL|LEVEL2, "add ID payload to message");
611 msg->add_payload(msg, (payload_t *) new_id_payload);
612
613 *id_payload = new_id_payload;
614
615 return SUCCESS;
616 }
617
618 /**
619 * Implementation of private_ike_sa_init_requested_t.build_cert_payload.
620 */
621 static status_t build_cert_payload (private_ike_sa_init_requested_t *this, message_t *msg)
622 {
623 connection_t *connection = this->ike_sa->get_connection(this->ike_sa);
624
625 if (connection->get_cert_policy(connection) != CERT_NEVER_SEND)
626 {
627 policy_t *policy;
628 identification_t *my_id;
629 x509_t *cert;
630 cert_payload_t *cert_payload;
631
632 policy = this->ike_sa->get_policy(this->ike_sa);
633 my_id = policy->get_my_id(policy);
634
635 cert = charon->credentials->get_certificate(charon->credentials, my_id);
636 if (cert == NULL)
637 {
638 this->logger->log(this->logger, ERROR, "could not find my certificate");
639 return NOT_FOUND;
640 }
641 cert_payload = cert_payload_create_from_x509(cert);
642 this->logger->log(this->logger, CONTROL|LEVEL2, "add CERT payload to message");
643 msg->add_payload(msg, (payload_t *) cert_payload);
644 }
645 return SUCCESS;
646 }
647
648 /**
649 * Implementation of private_ike_sa_init_requested_t.build_certreq_payload.
650 */
651 static status_t build_certreq_payload (private_ike_sa_init_requested_t *this, message_t *msg)
652 {
653 if (FALSE)
654 {
655 certreq_payload_t *certreq_payload;
656
657 this->logger->log(this->logger, CONTROL|LEVEL2, "add CERTREQ payload to message");
658 msg->add_payload(msg, (payload_t *) certreq_payload);
659 }
660 return SUCCESS;
661 }
662
663 /**
664 * Implementation of private_ike_sa_init_requested_t.build_idr_payload.
665 */
666 static status_t build_idr_payload (private_ike_sa_init_requested_t *this, message_t *msg)
667 {
668 policy_t *policy = this->ike_sa->get_policy(this->ike_sa);
669 identification_t *identification = policy->get_other_id(policy);
670
671 if (!identification->contains_wildcards(identification))
672 {
673 id_payload_t *idr_payload = id_payload_create_from_identification(FALSE, identification);
674
675 this->logger->log(this->logger, CONTROL|LEVEL2, "add IDr payload to message");
676 msg->add_payload(msg, (payload_t *) idr_payload);
677 }
678 return SUCCESS;
679 }
680
681 /**
682 * Implementation of private_ike_sa_init_requested_t.build_auth_payload.
683 */
684 static status_t build_auth_payload (private_ike_sa_init_requested_t *this, id_payload_t *my_id_payload, message_t *msg)
685 {
686 authenticator_t *authenticator;
687 auth_payload_t *auth_payload;
688 status_t status;
689
690 authenticator = authenticator_create(this->ike_sa);
691 status = authenticator->compute_auth_data(authenticator,&auth_payload,this->ike_sa_init_request_data,this->received_nonce,my_id_payload,TRUE);
692 authenticator->destroy(authenticator);
693
694 if (status != SUCCESS)
695 {
696 this->logger->log(this->logger, AUDIT, "could not generate AUTH data for IKE_AUTH request. Deleting IKE_SA");
697 return DESTROY_ME;
698 }
699
700 this->logger->log(this->logger, CONTROL|LEVEL2, "add AUTH payload to message");
701 msg->add_payload(msg, (payload_t *) auth_payload);
702
703 return SUCCESS;
704 }
705
706 /**
707 * Implementation of private_ike_sa_init_requested_t.build_sa_payload.
708 */
709 static status_t build_sa_payload (private_ike_sa_init_requested_t *this, message_t *msg)
710 {
711 linked_list_t *proposal_list;
712 sa_payload_t *sa_payload;
713 policy_t *policy;
714 connection_t *connection;
715
716 /* get proposals form config, add to payload */
717 policy = this->ike_sa->get_policy(this->ike_sa);
718 proposal_list = policy->get_proposals(policy);
719 /* build child sa */
720 connection = this->ike_sa->get_connection(this->ike_sa);
721 this->child_sa = child_sa_create(0,
722 connection->get_my_host(connection),
723 connection->get_other_host(connection),
724 policy->get_soft_lifetime(policy),
725 policy->get_hard_lifetime(policy),
726 this->ike_sa->public.is_any_host_behind_nat(&this->ike_sa->public));
727 if (this->child_sa->alloc(this->child_sa, proposal_list) != SUCCESS)
728 {
729 this->logger->log(this->logger, AUDIT, "could not install CHILD_SA! Deleting IKE_SA");
730 return DESTROY_ME;
731 }
732
733 sa_payload = sa_payload_create_from_proposal_list(proposal_list);
734
735 this->logger->log(this->logger, CONTROL|LEVEL2, "add SA payload to message");
736 msg->add_payload(msg, (payload_t *) sa_payload);
737
738 return SUCCESS;
739 }
740
741 /**
742 * Implementation of private_ike_sa_init_requested_t.build_tsi_payload.
743 */
744 static status_t build_tsi_payload (private_ike_sa_init_requested_t *this, message_t *msg)
745 {
746 policy_t *policy = this->ike_sa->get_policy(this->ike_sa);
747 linked_list_t *ts_list = policy->get_my_traffic_selectors(policy);
748 ts_payload_t *ts_payload = ts_payload_create_from_traffic_selectors(TRUE, ts_list);
749
750 this->logger->log(this->logger, CONTROL|LEVEL2, "add TSi payload to message");
751 msg->add_payload(msg, (payload_t *) ts_payload);
752
753 return SUCCESS;
754 }
755
756 /**
757 * Implementation of private_ike_sa_init_requested_t.build_tsr_payload.
758 */
759 static status_t build_tsr_payload (private_ike_sa_init_requested_t *this, message_t *msg)
760 {
761 policy_t *policy = this->ike_sa->get_policy(this->ike_sa);
762 linked_list_t *ts_list = policy->get_other_traffic_selectors(policy);
763 ts_payload_t *ts_payload = ts_payload_create_from_traffic_selectors(FALSE, ts_list);
764
765 this->logger->log(this->logger, CONTROL|LEVEL2, "add TSr payload to message");
766 msg->add_payload(msg, (payload_t *) ts_payload);
767
768 return SUCCESS;
769 }
770
771 /**
772 * Implementation of private_ike_sa_init_requested_t.process_notify_payload.
773 */
774 static status_t process_notify_payload(private_ike_sa_init_requested_t *this, notify_payload_t *notify_payload)
775 {
776 chunk_t notification_data;
777 notify_message_type_t notify_message_type = notify_payload->get_notify_message_type(notify_payload);
778
779 this->logger->log(this->logger, CONTROL|LEVEL1, "process notify type %s",
780 mapping_find(notify_message_type_m, notify_message_type));
781
782 switch (notify_message_type)
783 {
784 case NO_PROPOSAL_CHOSEN:
785 {
786 this->logger->log(this->logger, AUDIT, "IKE_SA_INIT response contained a NO_PROPOSAL_CHOSEN notify. Deleting IKE_SA");
787 return DESTROY_ME;
788 }
789 case INVALID_MAJOR_VERSION:
790 {
791 this->logger->log(this->logger, AUDIT, "IKE_SA_INIT response contained a INVALID_MAJOR_VERSION notify. Deleting IKE_SA");
792 return DESTROY_ME;
793 }
794 case INVALID_KE_PAYLOAD:
795 {
796 initiator_init_t *initiator_init_state;
797 chunk_t notify_data;
798 diffie_hellman_group_t dh_group, old_dh_group;
799 connection_t *connection;
800
801 connection = this->ike_sa->get_connection(this->ike_sa);
802 old_dh_group = connection->get_dh_group(connection);
803 notify_data = notify_payload->get_notification_data(notify_payload);
804 dh_group = ntohs(*((u_int16_t*)notify_data.ptr));
805
806 /* TODO:
807 * We are very restrictive here: If the other didn't accept
808 * our DH group, and we do not accept his offer, continuation
809 * is cancelled...
810 */
811
812 this->logger->log(this->logger, AUDIT, "peer didn't accept %s, it requested %s!",
813 mapping_find(diffie_hellman_group_m, old_dh_group),
814 mapping_find(diffie_hellman_group_m, dh_group));
815 /* check if we can accept this dh group */
816 if (!connection->check_dh_group(connection, dh_group))
817 {
818 this->logger->log(this->logger, AUDIT,
819 "peer does only accept DH group %s, which we do not accept! Aborting",
820 mapping_find(diffie_hellman_group_m, dh_group));
821 return DESTROY_ME;
822 }
823
824 /* Going to change state back to initiator_init_t */
825 this->logger->log(this->logger, CONTROL|LEVEL2, "create next state object");
826 initiator_init_state = initiator_init_create(this->ike_sa);
827
828 /* buffer of sent and received messages has to get reseted */
829 this->ike_sa->reset_message_buffers(this->ike_sa);
830
831 /* state can now be changed */
832 this->ike_sa->set_new_state(this->ike_sa,(state_t *) initiator_init_state);
833
834 /* state has NOW changed :-) */
835 this->logger->log(this->logger, CONTROL|LEVEL2, "destroy old sate object");
836 this->logger->log(this->logger, CONTROL|LEVEL2, "going to retry initialization of connection");
837
838 this->public.state_interface.destroy(&(this->public.state_interface));
839 if (initiator_init_state->retry_initiate_connection (initiator_init_state, dh_group) != SUCCESS)
840 {
841 return DESTROY_ME;
842 }
843 return FAILED;
844 }
845 case NAT_DETECTION_DESTINATION_IP:
846 {
847 this->natd_seen_r++;
848 if (this->natd_hash_r_matched)
849 return SUCCESS;
850
851 notification_data = notify_payload->get_notification_data(notify_payload);
852 if (chunk_equals(notification_data, this->natd_hash_r))
853 {
854 this->natd_hash_r_matched = TRUE;
855 this->logger->log(this->logger, CONTROL|LEVEL3, "NAT-D hash match");
856 }
857 else
858 {
859 this->logger->log(this->logger, CONTROL|LEVEL3, "NAT-D hash mismatch");
860 }
861
862 return SUCCESS;
863 }
864 case NAT_DETECTION_SOURCE_IP:
865 {
866 this->natd_seen_i++;
867 if (this->natd_hash_i_matched)
868 return SUCCESS;
869
870 notification_data = notify_payload->get_notification_data(notify_payload);
871 if (chunk_equals(notification_data, this->natd_hash_i))
872 {
873 this->natd_hash_i_matched = TRUE;
874 this->logger->log(this->logger, CONTROL|LEVEL3, "NAT-D hash match");
875 }
876 else
877 {
878 this->logger->log(this->logger, CONTROL|LEVEL3, "NAT-D hash mismatch");
879 }
880
881 return SUCCESS;
882 }
883 default:
884 {
885 /*
886 * - In case of unknown error: IKE_SA gets destroyed.
887 * - In case of unknown status: logging
888 */
889 if (notify_message_type < 16383)
890 {
891 this->logger->log(this->logger, AUDIT, "IKE_SA_INIT reply contained an unknown notify error (%d). Deleting IKE_SA",
892 notify_message_type);
893 return DESTROY_ME;
894 }
895 else
896 {
897 this->logger->log(this->logger, CONTROL, "IKE_SA_INIT reply contained an unknown notify (%d), ignored.",
898 notify_message_type);
899 return SUCCESS;
900 }
901 }
902 }
903 }
904
905 /**
906 * Implementation of state_t.get_state.
907 */
908 static ike_sa_state_t get_state(private_ike_sa_init_requested_t *this)
909 {
910 return IKE_SA_INIT_REQUESTED;
911 }
912
913 /**
914 * Implementation of private_ike_sa_init_requested_t.destroy_after_state_change.
915 */
916 static void destroy_after_state_change (private_ike_sa_init_requested_t *this)
917 {
918 this->diffie_hellman->destroy(this->diffie_hellman);
919 chunk_free(&(this->ike_sa_init_request_data));
920 if (this->proposal)
921 {
922 this->proposal->destroy(this->proposal);
923 }
924 free(this);
925 }
926
927 /**
928 * Implementation state_t.destroy.
929 */
930 static void destroy(private_ike_sa_init_requested_t *this)
931 {
932 this->diffie_hellman->destroy(this->diffie_hellman);
933 free(this->sent_nonce.ptr);
934 free(this->received_nonce.ptr);
935 chunk_free(&(this->ike_sa_init_request_data));
936 if (this->child_sa)
937 {
938 this->child_sa->destroy(this->child_sa);
939 }
940 if (this->proposal)
941 {
942 this->proposal->destroy(this->proposal);
943 }
944 free(this);
945 }
946
947 /*
948 * Described in header.
949 */
950 ike_sa_init_requested_t *ike_sa_init_requested_create(protected_ike_sa_t *ike_sa, diffie_hellman_t *diffie_hellman, chunk_t sent_nonce,chunk_t ike_sa_init_request_data)
951 {
952 private_ike_sa_init_requested_t *this = malloc_thing(private_ike_sa_init_requested_t);
953
954 /* interface functions */
955 this->public.state_interface.process_message = (status_t (*) (state_t *,message_t *)) process_message;
956 this->public.state_interface.get_state = (ike_sa_state_t (*) (state_t *)) get_state;
957 this->public.state_interface.destroy = (void (*) (state_t *)) destroy;
958
959 /* private functions */
960 this->destroy_after_state_change = destroy_after_state_change;
961 this->process_nonce_payload = process_nonce_payload;
962 this->process_sa_payload = process_sa_payload;
963 this->process_ke_payload = process_ke_payload;
964 this->build_auth_payload = build_auth_payload;
965 this->build_tsi_payload = build_tsi_payload;
966 this->build_tsr_payload = build_tsr_payload;
967 this->build_id_payload = build_id_payload;
968 this->build_idr_payload = build_idr_payload;
969 this->build_cert_payload = build_cert_payload;
970 this->build_certreq_payload = build_certreq_payload;
971 this->build_sa_payload = build_sa_payload;
972 this->process_notify_payload = process_notify_payload;
973
974 /* private data */
975 this->ike_sa = ike_sa;
976 this->received_nonce = CHUNK_INITIALIZER;
977 this->logger = logger_manager->get_logger(logger_manager, IKE_SA);
978 this->diffie_hellman = diffie_hellman;
979 this->proposal = NULL;
980 this->sent_nonce = sent_nonce;
981 this->child_sa = NULL;
982 this->ike_sa_init_request_data = ike_sa_init_request_data;
983
984 return &(this->public);
985 }