1383ac4c6ebcea4f195ea0e01dcde0eb12db81aa
[strongswan.git] / src / charon / sa / states / ike_sa_init_requested.c
1 /**
2 * @file ike_sa_init_requested.c
3 *
4 * @brief Implementation of ike_sa_init_requested_t.
5 *
6 */
7
8 /*
9 * Copyright (C) 2006 Tobias Brunner, Daniel Roethlisberger
10 * Copyright (C) 2005 Jan Hutter, Martin Willi
11 * Hochschule fuer Technik Rapperswil
12 *
13 * This program is free software; you can redistribute it and/or modify it
14 * under the terms of the GNU General Public License as published by the
15 * Free Software Foundation; either version 2 of the License, or (at your
16 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
17 *
18 * This program is distributed in the hope that it will be useful, but
19 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
20 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
21 * for more details.
22 */
23
24 #include "ike_sa_init_requested.h"
25
26 #include <daemon.h>
27 #include <encoding/payloads/sa_payload.h>
28 #include <encoding/payloads/ke_payload.h>
29 #include <encoding/payloads/nonce_payload.h>
30 #include <encoding/payloads/notify_payload.h>
31 #include <encoding/payloads/id_payload.h>
32 #include <encoding/payloads/auth_payload.h>
33 #include <encoding/payloads/ts_payload.h>
34 #include <crypto/diffie_hellman.h>
35 #include <sa/states/ike_auth_requested.h>
36 #include <sa/states/initiator_init.h>
37 #include <sa/authenticator.h>
38
39
40 typedef struct private_ike_sa_init_requested_t private_ike_sa_init_requested_t;
41
42 /**
43 * Private data of a ike_sa_init_requested_t object.
44 *
45 */
46 struct private_ike_sa_init_requested_t {
47 /**
48 * Public interface of an ike_sa_init_requested_t object.
49 */
50 ike_sa_init_requested_t public;
51
52 /**
53 * Assigned IKE_SA
54 */
55 protected_ike_sa_t *ike_sa;
56
57 /**
58 * Diffie Hellman object used to compute shared secret.
59 */
60 diffie_hellman_t *diffie_hellman;
61
62 /**
63 * Sent nonce value.
64 */
65 chunk_t sent_nonce;
66
67 /**
68 * Received nonce
69 */
70 chunk_t received_nonce;
71
72 /**
73 * Selected proposal
74 */
75 proposal_t *proposal;
76
77 /**
78 * Packet data of ike_sa_init request
79 */
80 chunk_t ike_sa_init_request_data;
81
82 /**
83 * Created child sa, if any
84 */
85 child_sa_t *child_sa;
86
87 /**
88 * Assigned logger
89 *
90 * Is logger of ike_sa!
91 */
92 logger_t *logger;
93
94 /**
95 * Precomputed NAT-D hash for initiator.
96 */
97 chunk_t natd_hash_i;
98
99 /**
100 * Flag indicating that an initiator NAT-D hash matched.
101 */
102 bool natd_hash_i_matched;
103
104 /**
105 * NAT-D payload count for NAT_DETECTION_SOURCE_IP.
106 */
107 int natd_seen_i;
108
109 /**
110 * Precomputed NAT-D hash of responder.
111 */
112 chunk_t natd_hash_r;
113
114 /**
115 * Flag indicating that a responder NAT-D hash matched.
116 */
117 bool natd_hash_r_matched;
118
119 /**
120 * NAT-D payload count for NAT_DETECTION_DESTINATION_IP.
121 */
122 int natd_seen_r;
123
124
125 /**
126 * Process NONCE payload of IKE_SA_INIT response.
127 *
128 * @param this calling object
129 * @param nonce_payload NONCE payload to process
130 * @return SUCCESS in any case
131 */
132 status_t (*process_nonce_payload) (private_ike_sa_init_requested_t *this, nonce_payload_t *nonce_payload);
133
134 /**
135 * Process SA payload of IKE_SA_INIT response.
136 *
137 * @param this calling object
138 * @param sa_payload SA payload to process
139 * @return
140 * - SUCCESS
141 * - FAILED
142 */
143 status_t (*process_sa_payload) (private_ike_sa_init_requested_t *this, sa_payload_t *sa_payload);
144
145 /**
146 * Process KE payload of IKE_SA_INIT response.
147 *
148 * @param this calling object
149 * @param sa_payload KE payload to process
150 * @return
151 * - SUCCESS
152 * - FAILED
153 */
154 status_t (*process_ke_payload) (private_ike_sa_init_requested_t *this, ke_payload_t *ke_payload);
155
156 /**
157 * Build ID payload for IKE_AUTH request.
158 *
159 * @param this calling object
160 * @param[out] id_payload buildet ID payload
161 * @param response created payload will be added to this message_t object
162 * @return
163 * - SUCCESS
164 * - FAILED
165 */
166 status_t (*build_id_payload) (private_ike_sa_init_requested_t *this,id_payload_t **id_payload, message_t *response);
167
168 /**
169 * Build IDr payload for IKE_AUTH request.
170 *
171 * Only built when the ID of the responder contains no wildcards.
172 *
173 * @param this calling object
174 * @param response created payload will be added to this message_t object
175 * @return
176 * - SUCCESS
177 * - FAILED
178 */
179 status_t (*build_idr_payload) (private_ike_sa_init_requested_t *this, message_t *response);
180
181 /**
182 * Build AUTH payload for IKE_AUTH request.
183 *
184 * @param this calling object
185 * @param my_id_payload buildet ID payload
186 * @param response created payload will be added to this message_t object
187 * @return
188 * - SUCCESS
189 * - FAILED
190 */
191 status_t (*build_auth_payload) (private_ike_sa_init_requested_t *this,id_payload_t *my_id_payload, message_t *response);
192
193 /**
194 * Build SA payload for IKE_AUTH request.
195 *
196 * @param this calling object
197 * @param response created payload will be added to this message_t object
198 * @return
199 * - SUCCESS
200 * - FAILED
201 */
202 status_t (*build_sa_payload) (private_ike_sa_init_requested_t *this, message_t *response);
203
204 /**
205 * Build TSi payload for IKE_AUTH request.
206 *
207 * @param this calling object
208 * @param response created payload will be added to this message_t object
209 * @return
210 * - SUCCESS
211 * - FAILED
212 */
213 status_t (*build_tsi_payload) (private_ike_sa_init_requested_t *this, message_t *response);
214
215 /**
216 * Build TSr payload for IKE_AUTH request.
217 *
218 * @param this calling object
219 * @param response created payload will be added to this message_t object
220 * @return
221 * - SUCCESS
222 * - FAILED
223 */
224 status_t (*build_tsr_payload) (private_ike_sa_init_requested_t *this, message_t *response);
225
226 /**
227 * Process a notify payload and react.
228 *
229 * @param this calling object
230 * @param notify_payload notify_payload to handle
231 */
232 status_t (*process_notify_payload) (private_ike_sa_init_requested_t *this, notify_payload_t *notify_payload);
233
234 /**
235 * Destroy function called internally of this class after state change to
236 * state IKE_AUTH_REQUESTED succeeded.
237 *
238 * This destroy function does not destroy objects which were passed to the new state.
239 *
240 * @param this calling object
241 */
242 void (*destroy_after_state_change) (private_ike_sa_init_requested_t *this);
243 };
244
245 /**
246 * Implementation of state_t.process_message.
247 */
248 static status_t process_message(private_ike_sa_init_requested_t *this, message_t *ike_sa_init_reply)
249 {
250 ike_auth_requested_t *next_state;
251 chunk_t ike_sa_init_reply_data;
252 sa_payload_t *sa_payload = NULL;
253 ke_payload_t *ke_payload = NULL;
254 id_payload_t *id_payload = NULL;
255 nonce_payload_t *nonce_payload = NULL;
256 u_int64_t responder_spi;
257 ike_sa_id_t *ike_sa_id;
258 iterator_t *payloads;
259 host_t *me, *other;
260 connection_t *connection;
261 policy_t *policy;
262
263 message_t *request;
264 status_t status;
265
266 /*
267 * In this state a reply message of type IKE_SA_INIT is expected:
268 *
269 * <-- HDR, SAr1, KEr, Nr, [CERTREQ]
270 * or
271 * <-- HDR, N
272 */
273
274 if (ike_sa_init_reply->get_exchange_type(ike_sa_init_reply) != IKE_SA_INIT)
275 {
276 this->logger->log(this->logger, ERROR | LEVEL1, "Message of type %s not supported in state ike_sa_init_requested",
277 mapping_find(exchange_type_m,ike_sa_init_reply->get_exchange_type(ike_sa_init_reply)));
278 return FAILED;
279 }
280
281 if (ike_sa_init_reply->get_request(ike_sa_init_reply))
282 {
283 this->logger->log(this->logger, ERROR | LEVEL1, "IKE_SA_INIT requests not allowed state ike_sa_init_responded");
284 return FAILED;
285 }
286
287 /* parse incoming message */
288 status = ike_sa_init_reply->parse_body(ike_sa_init_reply, NULL, NULL);
289 if (status != SUCCESS)
290 {
291 this->logger->log(this->logger, ERROR | LEVEL1, "IKE_SA_INIT reply parsing faild. Ignoring message");
292 return status;
293 }
294
295 /* because we are original initiator we have to update the responder SPI to the new one */
296 responder_spi = ike_sa_init_reply->get_responder_spi(ike_sa_init_reply);
297 if (responder_spi == 0)
298 {
299 this->logger->log(this->logger, ERROR | LEVEL1, "IKE_SA_INIT reply contained a SPI of zero");
300 return FAILED;
301 }
302 ike_sa_id = this->ike_sa->public.get_id(&(this->ike_sa->public));
303 ike_sa_id->set_responder_spi(ike_sa_id,responder_spi);
304
305 /*
306 * Precompute NAT-D hashes.
307 * Even though there SHOULD only be a single payload of each
308 * Notify type, we precompute both hashes.
309 */
310 this->natd_hash_i = this->ike_sa->generate_natd_hash(this->ike_sa,
311 ike_sa_init_reply->get_initiator_spi(ike_sa_init_reply),
312 ike_sa_init_reply->get_responder_spi(ike_sa_init_reply),
313 ike_sa_init_reply->get_source(ike_sa_init_reply));
314 this->natd_hash_i_matched = FALSE;
315 this->natd_seen_i = 0;
316 this->natd_hash_r = this->ike_sa->generate_natd_hash(this->ike_sa,
317 ike_sa_init_reply->get_initiator_spi(ike_sa_init_reply),
318 ike_sa_init_reply->get_responder_spi(ike_sa_init_reply),
319 ike_sa_init_reply->get_destination(ike_sa_init_reply));
320 this->natd_hash_r_matched = FALSE;
321 this->natd_seen_r = 0;
322 this->ike_sa->set_my_host_behind_nat(this->ike_sa, FALSE);
323 this->ike_sa->set_other_host_behind_nat(this->ike_sa, FALSE);
324
325 /* Iterate over all payloads.
326 *
327 * The message is already checked for the right payload types.
328 */
329 payloads = ike_sa_init_reply->get_payload_iterator(ike_sa_init_reply);
330 while (payloads->has_next(payloads))
331 {
332 payload_t *payload;
333 payloads->current(payloads, (void**)&payload);
334
335 switch (payload->get_type(payload))
336 {
337 case SECURITY_ASSOCIATION:
338 {
339 sa_payload = (sa_payload_t*)payload;
340 break;
341 }
342 case KEY_EXCHANGE:
343 {
344 ke_payload = (ke_payload_t*)payload;
345 break;
346 }
347 case NONCE:
348 {
349 nonce_payload = (nonce_payload_t*)payload;
350 break;
351 }
352 case NOTIFY:
353 {
354 notify_payload_t *notify_payload = (notify_payload_t *) payload;
355
356 status = this->process_notify_payload(this, notify_payload);
357 if (status != SUCCESS)
358 {
359 payloads->destroy(payloads);
360 return status;
361 }
362 break;
363 }
364 default:
365 {
366 this->logger->log(this->logger, ERROR|LEVEL1, "Ignoring payload %s (%d)",
367 mapping_find(payload_type_m, payload->get_type(payload)), payload->get_type(payload));
368 break;
369 }
370
371 }
372
373 }
374 payloads->destroy(payloads);
375
376 if (!(nonce_payload && sa_payload && ke_payload))
377 {
378 this->logger->log(this->logger, AUDIT, "IKE_SA_INIT reply did not contain all required payloads. Deleting IKE_SA");
379 return DESTROY_ME;
380 }
381
382 status = this->process_nonce_payload (this,nonce_payload);
383 if (status != SUCCESS)
384 {
385 return status;
386 }
387
388 status = this->process_sa_payload (this,sa_payload);
389 if (status != SUCCESS)
390 {
391 return status;
392 }
393
394 status = this->process_ke_payload (this,ke_payload);
395 if (status != SUCCESS)
396 {
397 return status;
398 }
399
400 /* derive all the keys used in the IKE_SA */
401 status = this->ike_sa->build_transforms(this->ike_sa, this->proposal, this->diffie_hellman, this->sent_nonce, this->received_nonce);
402 if (status != SUCCESS)
403 {
404 this->logger->log(this->logger, AUDIT, "Transform objects could not be created from selected proposal. Deleting IKE_SA");
405 return DESTROY_ME;
406 }
407
408 /* NAT-D */
409 if ((!this->natd_seen_i && this->natd_seen_r > 0)
410 || (this->natd_seen_i > 0 && !this->natd_seen_r))
411 {
412 this->logger->log(this->logger, AUDIT, "IKE_SA_INIT request contained wrong number of NAT-D payloads. Deleting IKE_SA");
413 return DESTROY_ME;
414 }
415 if (this->natd_seen_r > 1)
416 {
417 this->logger->log(this->logger, AUDIT, "Warning: IKE_SA_INIT request contained multiple Notify(NAT_DETECTION_DESTINATION_IP) payloads.");
418 }
419 if (this->natd_seen_i > 0 && !this->natd_hash_i_matched)
420 {
421 this->logger->log(this->logger, AUDIT, "Remote host is behind NAT, using NAT-T.");
422 this->ike_sa->set_other_host_behind_nat(this->ike_sa, TRUE);
423 }
424 if (this->natd_seen_r > 0 && !this->natd_hash_r_matched)
425 {
426 this->logger->log(this->logger, AUDIT, "Local host is behind NAT, using NAT-T.");
427 this->ike_sa->set_my_host_behind_nat(this->ike_sa, TRUE);
428 }
429
430 /* apply the address on wich we really received the packet,
431 * and switch to port 4500 when using NAT-T and NAT was detected.
432 */
433 connection = this->ike_sa->get_connection(this->ike_sa);
434 me = ike_sa_init_reply->get_destination(ike_sa_init_reply);
435 other = ike_sa_init_reply->get_source(ike_sa_init_reply);
436
437 if (this->ike_sa->public.is_any_host_behind_nat((ike_sa_t*)this->ike_sa))
438 {
439 me->set_port(me, IKEV2_NATT_PORT);
440 other->set_port(other, IKEV2_NATT_PORT);
441 this->logger->log(this->logger, AUDIT, "Switching to port %d.", IKEV2_NATT_PORT);
442 }
443 else
444 {
445 this->logger->log(this->logger, AUDIT, "No NAT detected, not using NAT-T.");
446 }
447
448 if (this->ike_sa->public.is_my_host_behind_nat(&this->ike_sa->public))
449 {
450 charon->event_queue->add_relative(charon->event_queue,
451 (job_t*)send_keepalive_job_create(this->ike_sa->public.get_id((ike_sa_t*)this->ike_sa)),
452 charon->configuration->get_keepalive_interval(charon->configuration));
453 }
454
455 status = this->ike_sa->update_connection_hosts(this->ike_sa, me, other);
456 if (status != SUCCESS)
457 {
458 return status;
459 }
460
461 policy = this->ike_sa->get_policy(this->ike_sa);
462 policy->update_my_ts(policy, me);
463 policy->update_other_ts(policy, other);
464
465 /* build empty message */
466 this->ike_sa->build_message(this->ike_sa, IKE_AUTH, TRUE, &request);
467
468 status = this->build_id_payload(this, &id_payload, request);
469 if (status != SUCCESS)
470 {
471 request->destroy(request);
472 return status;
473 }
474 status = this->build_idr_payload(this, request);
475 if (status != SUCCESS)
476 {
477 request->destroy(request);
478 return status;
479 }
480 status = this->build_auth_payload(this, (id_payload_t*)id_payload, request);
481 if (status != SUCCESS)
482 {
483 request->destroy(request);
484 return status;
485 }
486 status = this->build_sa_payload(this, request);
487 if (status != SUCCESS)
488 {
489 request->destroy(request);
490 return status;
491 }
492 status = this->build_tsi_payload(this, request);
493 if (status != SUCCESS)
494 {
495 request->destroy(request);
496 return status;
497 }
498 status = this->build_tsr_payload(this, request);
499 if (status != SUCCESS)
500 {
501 request->destroy(request);
502 return status;
503 }
504
505 /* message can now be sent (must not be destroyed) */
506 status = this->ike_sa->send_request(this->ike_sa, request);
507 if (status != SUCCESS)
508 {
509 this->logger->log(this->logger, AUDIT, "Unable to send IKE_AUTH request. Deleting IKE_SA");
510 request->destroy(request);
511 return DESTROY_ME;
512 }
513
514 this->ike_sa->set_last_replied_message_id(this->ike_sa,ike_sa_init_reply->get_message_id(ike_sa_init_reply));
515
516 ike_sa_init_reply_data = ike_sa_init_reply->get_packet_data(ike_sa_init_reply);
517
518 /* state can now be changed */
519 next_state = ike_auth_requested_create(this->ike_sa, this->sent_nonce, this->received_nonce,
520 ike_sa_init_reply_data, this->child_sa);
521 this->ike_sa->set_new_state(this->ike_sa,(state_t *) next_state);
522
523 this->destroy_after_state_change(this);
524 return SUCCESS;
525 }
526
527
528 /**
529 * Implementation of private_ike_sa_init_requested_t.process_nonce_payload.
530 */
531 status_t process_nonce_payload (private_ike_sa_init_requested_t *this, nonce_payload_t *nonce_payload)
532 {
533 free(this->received_nonce.ptr);
534 this->received_nonce = nonce_payload->get_nonce(nonce_payload);
535 return SUCCESS;
536 }
537
538
539 /**
540 * Implementation of private_ike_sa_init_requested_t.process_sa_payload.
541 */
542 status_t process_sa_payload (private_ike_sa_init_requested_t *this, sa_payload_t *sa_payload)
543 {
544 proposal_t *proposal;
545 linked_list_t *proposal_list;
546 connection_t *connection;
547
548 connection = this->ike_sa->get_connection(this->ike_sa);
549
550 /* get the list of selected proposals, the peer has to select only one proposal */
551 proposal_list = sa_payload->get_proposals (sa_payload);
552 if (proposal_list->get_count(proposal_list) != 1)
553 {
554 this->logger->log(this->logger, AUDIT, "IKE_SA_INIT response did not contain a single proposal. Deleting IKE_SA");
555 while (proposal_list->remove_last(proposal_list, (void**)&proposal) == SUCCESS)
556 {
557 proposal->destroy(proposal);
558 }
559 proposal_list->destroy(proposal_list);
560 return DESTROY_ME;
561 }
562
563 /* we have to re-check if the others selection is valid */
564 this->proposal = connection->select_proposal(connection, proposal_list);
565 while (proposal_list->remove_last(proposal_list, (void**)&proposal) == SUCCESS)
566 {
567 proposal->destroy(proposal);
568 }
569 proposal_list->destroy(proposal_list);
570
571 if (this->proposal == NULL)
572 {
573 this->logger->log(this->logger, AUDIT, "IKE_SA_INIT response contained selected proposal we did not offer. Deleting IKE_SA");
574 return DESTROY_ME;
575 }
576
577 return SUCCESS;
578 }
579
580 /**
581 * Implementation of private_ike_sa_init_requested_t.process_ke_payload.
582 */
583 status_t process_ke_payload (private_ike_sa_init_requested_t *this, ke_payload_t *ke_payload)
584 {
585 this->diffie_hellman->set_other_public_value(this->diffie_hellman, ke_payload->get_key_exchange_data(ke_payload));
586
587 return SUCCESS;
588 }
589
590 /**
591 * Implementation of private_ike_sa_init_requested_t.build_id_payload.
592 */
593 static status_t build_id_payload (private_ike_sa_init_requested_t *this,id_payload_t **id_payload, message_t *request)
594 {
595 policy_t *policy;
596 id_payload_t *new_id_payload;
597 identification_t *identification;
598
599 policy = this->ike_sa->get_policy(this->ike_sa);
600 identification = policy->get_my_id(policy);
601 new_id_payload = id_payload_create_from_identification(TRUE, identification);
602
603 this->logger->log(this->logger, CONTROL|LEVEL2, "Add ID payload to message");
604 request->add_payload(request,(payload_t *) new_id_payload);
605
606 *id_payload = new_id_payload;
607
608 return SUCCESS;
609 }
610
611 /**
612 * Implementation of private_ike_sa_init_requested_t.build_idr_payload.
613 */
614 static status_t build_idr_payload (private_ike_sa_init_requested_t *this, message_t *request)
615 {
616 policy_t *policy;
617 id_payload_t *idr_payload;
618 identification_t *identification;
619
620 policy = this->ike_sa->get_policy(this->ike_sa);
621 identification = policy->get_other_id(policy);
622 if (!identification->contains_wildcards(identification))
623 {
624 idr_payload = id_payload_create_from_identification(FALSE, identification);
625
626 this->logger->log(this->logger, CONTROL|LEVEL2, "Add IDr payload to message");
627 request->add_payload(request,(payload_t *) idr_payload);
628 }
629 return SUCCESS;
630 }
631
632 /**
633 * Implementation of private_ike_sa_init_requested_t.build_auth_payload.
634 */
635 static status_t build_auth_payload (private_ike_sa_init_requested_t *this, id_payload_t *my_id_payload, message_t *request)
636 {
637 authenticator_t *authenticator;
638 auth_payload_t *auth_payload;
639 status_t status;
640
641 authenticator = authenticator_create(this->ike_sa);
642 status = authenticator->compute_auth_data(authenticator,&auth_payload,this->ike_sa_init_request_data,this->received_nonce,my_id_payload,TRUE);
643 authenticator->destroy(authenticator);
644
645 if (status != SUCCESS)
646 {
647 this->logger->log(this->logger, AUDIT, "Could not generate AUTH data for IKE_AUTH request. Deleting IKE_SA");
648 return DESTROY_ME;
649 }
650
651 this->logger->log(this->logger, CONTROL|LEVEL2, "Add AUTH payload to message");
652 request->add_payload(request,(payload_t *) auth_payload);
653
654 return SUCCESS;
655 }
656
657 /**
658 * Implementation of private_ike_sa_init_requested_t.build_sa_payload.
659 */
660 static status_t build_sa_payload (private_ike_sa_init_requested_t *this, message_t *request)
661 {
662 linked_list_t *proposal_list;
663 sa_payload_t *sa_payload;
664 policy_t *policy;
665 connection_t *connection;
666
667 /* get proposals form config, add to payload */
668 policy = this->ike_sa->get_policy(this->ike_sa);
669 proposal_list = policy->get_proposals(policy);
670 /* build child sa */
671 connection = this->ike_sa->get_connection(this->ike_sa);
672 this->child_sa = child_sa_create(0,
673 connection->get_my_host(connection),
674 connection->get_other_host(connection),
675 policy->get_soft_lifetime(policy),
676 policy->get_hard_lifetime(policy),
677 this->ike_sa->public.is_any_host_behind_nat(&this->ike_sa->public));
678 if (this->child_sa->alloc(this->child_sa, proposal_list) != SUCCESS)
679 {
680 this->logger->log(this->logger, AUDIT, "Could not install CHILD_SA! Deleting IKE_SA");
681 return DESTROY_ME;
682 }
683
684 sa_payload = sa_payload_create_from_proposal_list(proposal_list);
685
686 this->logger->log(this->logger, CONTROL|LEVEL2, "Add SA payload to message");
687 request->add_payload(request,(payload_t *) sa_payload);
688
689 return SUCCESS;
690 }
691
692 /**
693 * Implementation of private_ike_sa_init_requested_t.build_tsi_payload.
694 */
695 static status_t build_tsi_payload (private_ike_sa_init_requested_t *this, message_t *request)
696 {
697 linked_list_t *ts_list;
698 ts_payload_t *ts_payload;
699 policy_t *policy;
700
701 policy = this->ike_sa->get_policy(this->ike_sa);
702 ts_list = policy->get_my_traffic_selectors(policy);
703 ts_payload = ts_payload_create_from_traffic_selectors(TRUE, ts_list);
704
705 this->logger->log(this->logger, CONTROL|LEVEL2, "Add TSi payload to message");
706 request->add_payload(request,(payload_t *) ts_payload);
707
708 return SUCCESS;
709 }
710
711 /**
712 * Implementation of private_ike_sa_init_requested_t.build_tsr_payload.
713 */
714 static status_t build_tsr_payload (private_ike_sa_init_requested_t *this, message_t *request)
715 {
716 linked_list_t *ts_list;
717 ts_payload_t *ts_payload;
718 policy_t *policy;
719
720 policy = this->ike_sa->get_policy(this->ike_sa);
721 ts_list = policy->get_other_traffic_selectors(policy);
722 ts_payload = ts_payload_create_from_traffic_selectors(FALSE, ts_list);
723
724 this->logger->log(this->logger, CONTROL|LEVEL2, "Add TSr payload to message");
725 request->add_payload(request,(payload_t *) ts_payload);
726
727 return SUCCESS;
728 }
729
730 /**
731 * Implementation of private_ike_sa_init_requested_t.process_notify_payload.
732 */
733 static status_t process_notify_payload(private_ike_sa_init_requested_t *this, notify_payload_t *notify_payload)
734 {
735 chunk_t notification_data;
736 notify_message_type_t notify_message_type = notify_payload->get_notify_message_type(notify_payload);
737
738 this->logger->log(this->logger, CONTROL|LEVEL1, "Process notify type %s",
739 mapping_find(notify_message_type_m, notify_message_type));
740
741 switch (notify_message_type)
742 {
743 case NO_PROPOSAL_CHOSEN:
744 {
745 this->logger->log(this->logger, AUDIT, "IKE_SA_INIT response contained a NO_PROPOSAL_CHOSEN notify. Deleting IKE_SA");
746 return DESTROY_ME;
747 }
748 case INVALID_MAJOR_VERSION:
749 {
750 this->logger->log(this->logger, AUDIT, "IKE_SA_INIT response contained a INVALID_MAJOR_VERSION notify. Deleting IKE_SA");
751 return DESTROY_ME;
752 }
753 case INVALID_KE_PAYLOAD:
754 {
755 initiator_init_t *initiator_init_state;
756 chunk_t notify_data;
757 diffie_hellman_group_t dh_group, old_dh_group;
758 connection_t *connection;
759
760 connection = this->ike_sa->get_connection(this->ike_sa);
761 old_dh_group = connection->get_dh_group(connection);
762 notify_data = notify_payload->get_notification_data(notify_payload);
763 dh_group = ntohs(*((u_int16_t*)notify_data.ptr));
764
765 /* TODO:
766 * We are very restrictive here: If the other didn't accept
767 * our DH group, and we do not accept his offer, continuation
768 * is cancelled...
769 */
770
771 this->logger->log(this->logger, AUDIT, "Peer didn't accept %s, it requested %s!",
772 mapping_find(diffie_hellman_group_m, old_dh_group),
773 mapping_find(diffie_hellman_group_m, dh_group));
774 /* check if we can accept this dh group */
775 if (!connection->check_dh_group(connection, dh_group))
776 {
777 this->logger->log(this->logger, AUDIT,
778 "Peer does only accept DH group %s, which we do not accept! Aborting",
779 mapping_find(diffie_hellman_group_m, dh_group));
780 return DESTROY_ME;
781 }
782
783 /* Going to change state back to initiator_init_t */
784 this->logger->log(this->logger, CONTROL|LEVEL2, "Create next state object");
785 initiator_init_state = initiator_init_create(this->ike_sa);
786
787 /* buffer of sent and received messages has to get reseted */
788 this->ike_sa->reset_message_buffers(this->ike_sa);
789
790 /* state can now be changed */
791 this->ike_sa->set_new_state(this->ike_sa,(state_t *) initiator_init_state);
792
793 /* state has NOW changed :-) */
794 this->logger->log(this->logger, CONTROL|LEVEL2, "Destroy old sate object");
795 this->logger->log(this->logger, CONTROL|LEVEL2, "Going to retry initialization of connection");
796
797 this->public.state_interface.destroy(&(this->public.state_interface));
798 if (initiator_init_state->retry_initiate_connection (initiator_init_state, dh_group) != SUCCESS)
799 {
800 return DESTROY_ME;
801 }
802 return FAILED;
803 }
804 case NAT_DETECTION_DESTINATION_IP:
805 {
806 this->natd_seen_r++;
807 if (this->natd_hash_r_matched)
808 return SUCCESS;
809
810 notification_data = notify_payload->get_notification_data(notify_payload);
811 if (chunk_equals(notification_data, this->natd_hash_r))
812 {
813 this->natd_hash_r_matched = TRUE;
814 this->logger->log(this->logger, CONTROL|LEVEL3, "NAT-D hash match");
815 }
816 else
817 {
818 this->logger->log(this->logger, CONTROL|LEVEL3, "NAT-D hash mismatch");
819 }
820
821 return SUCCESS;
822 }
823 case NAT_DETECTION_SOURCE_IP:
824 {
825 this->natd_seen_i++;
826 if (this->natd_hash_i_matched)
827 return SUCCESS;
828
829 notification_data = notify_payload->get_notification_data(notify_payload);
830 if (chunk_equals(notification_data, this->natd_hash_i))
831 {
832 this->natd_hash_i_matched = TRUE;
833 this->logger->log(this->logger, CONTROL|LEVEL3, "NAT-D hash match");
834 }
835 else
836 {
837 this->logger->log(this->logger, CONTROL|LEVEL3, "NAT-D hash mismatch");
838 }
839
840 return SUCCESS;
841 }
842 default:
843 {
844 /*
845 * - In case of unknown error: IKE_SA gets destroyed.
846 * - In case of unknown status: logging
847 */
848 if (notify_message_type < 16383)
849 {
850 this->logger->log(this->logger, AUDIT, "IKE_SA_INIT reply contained an unknown notify error (%d). Deleting IKE_SA",
851 notify_message_type);
852 return DESTROY_ME;
853 }
854 else
855 {
856 this->logger->log(this->logger, CONTROL, "IKE_SA_INIT reply contained an unknown notify (%d), ignored.",
857 notify_message_type);
858 return SUCCESS;
859 }
860 }
861 }
862 }
863
864 /**
865 * Implementation of state_t.get_state.
866 */
867 static ike_sa_state_t get_state(private_ike_sa_init_requested_t *this)
868 {
869 return IKE_SA_INIT_REQUESTED;
870 }
871
872 /**
873 * Implementation of private_ike_sa_init_requested_t.destroy_after_state_change.
874 */
875 static void destroy_after_state_change (private_ike_sa_init_requested_t *this)
876 {
877 this->diffie_hellman->destroy(this->diffie_hellman);
878 chunk_free(&(this->ike_sa_init_request_data));
879 if (this->proposal)
880 {
881 this->proposal->destroy(this->proposal);
882 }
883 free(this);
884 }
885
886 /**
887 * Implementation state_t.destroy.
888 */
889 static void destroy(private_ike_sa_init_requested_t *this)
890 {
891 this->diffie_hellman->destroy(this->diffie_hellman);
892 free(this->sent_nonce.ptr);
893 free(this->received_nonce.ptr);
894 chunk_free(&(this->ike_sa_init_request_data));
895 if (this->child_sa)
896 {
897 this->child_sa->destroy(this->child_sa);
898 }
899 if (this->proposal)
900 {
901 this->proposal->destroy(this->proposal);
902 }
903 free(this);
904 }
905
906 /*
907 * Described in header.
908 */
909 ike_sa_init_requested_t *ike_sa_init_requested_create(protected_ike_sa_t *ike_sa, diffie_hellman_t *diffie_hellman, chunk_t sent_nonce,chunk_t ike_sa_init_request_data)
910 {
911 private_ike_sa_init_requested_t *this = malloc_thing(private_ike_sa_init_requested_t);
912
913 /* interface functions */
914 this->public.state_interface.process_message = (status_t (*) (state_t *,message_t *)) process_message;
915 this->public.state_interface.get_state = (ike_sa_state_t (*) (state_t *)) get_state;
916 this->public.state_interface.destroy = (void (*) (state_t *)) destroy;
917
918 /* private functions */
919 this->destroy_after_state_change = destroy_after_state_change;
920 this->process_nonce_payload = process_nonce_payload;
921 this->process_sa_payload = process_sa_payload;
922 this->process_ke_payload = process_ke_payload;
923 this->build_auth_payload = build_auth_payload;
924 this->build_tsi_payload = build_tsi_payload;
925 this->build_tsr_payload = build_tsr_payload;
926 this->build_id_payload = build_id_payload;
927 this->build_idr_payload = build_idr_payload;
928 this->build_sa_payload = build_sa_payload;
929 this->process_notify_payload = process_notify_payload;
930
931 /* private data */
932 this->ike_sa = ike_sa;
933 this->received_nonce = CHUNK_INITIALIZER;
934 this->logger = logger_manager->get_logger(logger_manager, IKE_SA);
935 this->diffie_hellman = diffie_hellman;
936 this->proposal = NULL;
937 this->sent_nonce = sent_nonce;
938 this->child_sa = NULL;
939 this->ike_sa_init_request_data = ike_sa_init_request_data;
940
941 return &(this->public);
942 }