added retry limit for IKE_SA_INIT (give up after 5 cookie failures)
[strongswan.git] / src / charon / sa / tasks / ike_init.c
1 /**
2 * @file ike_init.c
3 *
4 * @brief Implementation of the ike_init task.
5 *
6 */
7
8 /*
9 * Copyright (C) 2005-2007 Martin Willi
10 * Copyright (C) 2005 Jan Hutter
11 * Hochschule fuer Technik Rapperswil
12 *
13 * This program is free software; you can redistribute it and/or modify it
14 * under the terms of the GNU General Public License as published by the
15 * Free Software Foundation; either version 2 of the License, or (at your
16 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
17 *
18 * This program is distributed in the hope that it will be useful, but
19 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
20 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
21 * for more details.
22 */
23
24 #include "ike_init.h"
25
26 #include <string.h>
27
28 #include <daemon.h>
29 #include <crypto/diffie_hellman.h>
30 #include <encoding/payloads/sa_payload.h>
31 #include <encoding/payloads/ke_payload.h>
32 #include <encoding/payloads/nonce_payload.h>
33
34 /** maximum retries to do with cookies/other dh groups */
35 #define MAX_RETRIES 5
36
37 typedef struct private_ike_init_t private_ike_init_t;
38
39 /**
40 * Private members of a ike_init_t task.
41 */
42 struct private_ike_init_t {
43
44 /**
45 * Public methods and task_t interface.
46 */
47 ike_init_t public;
48
49 /**
50 * Assigned IKE_SA.
51 */
52 ike_sa_t *ike_sa;
53
54 /**
55 * Are we the initiator?
56 */
57 bool initiator;
58
59 /**
60 * Connection established by this IKE_SA
61 */
62 connection_t *connection;
63
64 /**
65 * diffie hellman group to use
66 */
67 diffie_hellman_group_t dh_group;
68
69 /**
70 * Diffie hellman object used to generate public DH value.
71 */
72 diffie_hellman_t *diffie_hellman;
73
74 /**
75 * nonce chosen by us
76 */
77 chunk_t my_nonce;
78
79 /**
80 * nonce chosen by peer
81 */
82 chunk_t other_nonce;
83
84 /**
85 * Negotiated proposal used for IKE_SA
86 */
87 proposal_t *proposal;
88
89 /**
90 * Old IKE_SA which gets rekeyed
91 */
92 ike_sa_t *old_sa;
93
94 /**
95 * cookie received from responder
96 */
97 chunk_t cookie;
98
99 /**
100 * retries done so far after failure (cookie or bad dh group)
101 */
102 u_int retry;
103 };
104
105 /**
106 * build the payloads for the message
107 */
108 static void build_payloads(private_ike_init_t *this, message_t *message)
109 {
110 sa_payload_t *sa_payload;
111 ke_payload_t *ke_payload;
112 nonce_payload_t *nonce_payload;
113 linked_list_t *proposal_list;
114 ike_sa_id_t *id;
115 proposal_t *proposal;
116 iterator_t *iterator;
117
118 id = this->ike_sa->get_id(this->ike_sa);
119
120 this->connection = this->ike_sa->get_connection(this->ike_sa);
121
122 if (this->initiator)
123 {
124 proposal_list = this->connection->get_proposals(this->connection);
125 if (this->old_sa)
126 {
127 /* include SPI of new IKE_SA when we are rekeying */
128 iterator = proposal_list->create_iterator(proposal_list, TRUE);
129 while (iterator->iterate(iterator, (void**)&proposal))
130 {
131 proposal->set_spi(proposal, id->get_initiator_spi(id));
132 }
133 iterator->destroy(iterator);
134 }
135
136 sa_payload = sa_payload_create_from_proposal_list(proposal_list);
137 proposal_list->destroy_offset(proposal_list, offsetof(proposal_t, destroy));
138 }
139 else
140 {
141 if (this->old_sa)
142 {
143 /* include SPI of new IKE_SA when we are rekeying */
144 this->proposal->set_spi(this->proposal, id->get_responder_spi(id));
145 }
146 sa_payload = sa_payload_create_from_proposal(this->proposal);
147 }
148 message->add_payload(message, (payload_t*)sa_payload);
149
150 nonce_payload = nonce_payload_create();
151 nonce_payload->set_nonce(nonce_payload, this->my_nonce);
152 message->add_payload(message, (payload_t*)nonce_payload);
153
154 ke_payload = ke_payload_create_from_diffie_hellman(this->diffie_hellman);
155 message->add_payload(message, (payload_t*)ke_payload);
156 }
157
158 /**
159 * Read payloads from message
160 */
161 static void process_payloads(private_ike_init_t *this, message_t *message)
162 {
163 iterator_t *iterator;
164 payload_t *payload;
165
166 iterator = message->get_payload_iterator(message);
167 while (iterator->iterate(iterator, (void**)&payload))
168 {
169 switch (payload->get_type(payload))
170 {
171 case SECURITY_ASSOCIATION:
172 {
173 sa_payload_t *sa_payload = (sa_payload_t*)payload;
174 linked_list_t *proposal_list;
175
176 proposal_list = sa_payload->get_proposals(sa_payload);
177 this->proposal = this->connection->select_proposal(
178 this->connection, proposal_list);
179 proposal_list->destroy_offset(proposal_list,
180 offsetof(proposal_t, destroy));
181 break;
182 }
183 case KEY_EXCHANGE:
184 {
185 ke_payload_t *ke_payload = (ke_payload_t*)payload;
186 diffie_hellman_group_t dh_group;
187 chunk_t key_data;
188
189 dh_group = ke_payload->get_dh_group_number(ke_payload);
190
191 if (this->initiator)
192 {
193 if (dh_group != this->dh_group)
194 {
195 DBG1(DBG_IKE, "received a DH group not requested (%N)",
196 diffie_hellman_group_names, dh_group);
197 break;
198 }
199 }
200 else
201 {
202 this->dh_group = dh_group;
203 if (!this->connection->check_dh_group(this->connection,
204 dh_group))
205 {
206 break;
207 }
208 this->diffie_hellman = diffie_hellman_create(dh_group);
209 }
210 if (this->diffie_hellman)
211 {
212 key_data = ke_payload->get_key_exchange_data(ke_payload);
213 this->diffie_hellman->set_other_public_value(this->diffie_hellman, key_data);
214 }
215 break;
216 }
217 case NONCE:
218 {
219 nonce_payload_t *nonce_payload = (nonce_payload_t*)payload;
220 this->other_nonce = nonce_payload->get_nonce(nonce_payload);
221 break;
222 }
223 default:
224 break;
225 }
226 }
227 iterator->destroy(iterator);
228 }
229
230 /**
231 * Implementation of task_t.process for initiator
232 */
233 static status_t build_i(private_ike_init_t *this, message_t *message)
234 {
235 randomizer_t *randomizer;
236 status_t status;
237
238 this->connection = this->ike_sa->get_connection(this->ike_sa);
239 SIG(IKE_UP_START, "initiating IKE_SA to %H",
240 this->connection->get_other_host(this->connection));
241 this->ike_sa->set_state(this->ike_sa, IKE_CONNECTING);
242
243 if (this->retry++ >= MAX_RETRIES)
244 {
245 SIG(IKE_UP_FAILED, "giving up after %d retries", MAX_RETRIES);
246 return FAILED;
247 }
248
249 /* if the DH group is set via use_dh_group(), we already have a DH object */
250 if (!this->diffie_hellman)
251 {
252 this->dh_group = this->connection->get_dh_group(this->connection);
253 this->diffie_hellman = diffie_hellman_create(this->dh_group);
254 if (this->diffie_hellman == NULL)
255 {
256 SIG(IKE_UP_FAILED, "configured DH group %N not supported",
257 diffie_hellman_group_names, this->dh_group);
258 return FAILED;
259 }
260 }
261
262 /* generate nonce only when we are trying the first time */
263 if (this->my_nonce.ptr == NULL)
264 {
265 randomizer = randomizer_create();
266 status = randomizer->allocate_pseudo_random_bytes(randomizer, NONCE_SIZE,
267 &this->my_nonce);
268 randomizer->destroy(randomizer);
269 if (status != SUCCESS)
270 {
271 SIG(IKE_UP_FAILED, "error generating random nonce value");
272 return FAILED;
273 }
274 }
275
276 if (this->cookie.ptr)
277 {
278 message->add_notify(message, FALSE, COOKIE, this->cookie);
279 }
280
281 build_payloads(this, message);
282
283
284 return NEED_MORE;
285 }
286
287 /**
288 * Implementation of task_t.process for initiator
289 */
290 static status_t process_r(private_ike_init_t *this, message_t *message)
291 {
292 randomizer_t *randomizer;
293
294 this->connection = this->ike_sa->get_connection(this->ike_sa);
295 SIG(IKE_UP_FAILED, "%H is initiating an IKE_SA",
296 message->get_source(message));
297 this->ike_sa->set_state(this->ike_sa, IKE_CONNECTING);
298
299 randomizer = randomizer_create();
300 if (randomizer->allocate_pseudo_random_bytes(randomizer, NONCE_SIZE,
301 &this->my_nonce) != SUCCESS)
302 {
303 DBG1(DBG_IKE, "error generating random nonce value");
304 }
305 randomizer->destroy(randomizer);
306
307 process_payloads(this, message);
308
309 return NEED_MORE;
310 }
311
312 /**
313 * Implementation of task_t.build for responder
314 */
315 static status_t build_r(private_ike_init_t *this, message_t *message)
316 {
317 chunk_t secret;
318 status_t status;
319
320 /* check if we have everything we need */
321 if (this->proposal == NULL ||
322 this->other_nonce.len == 0 || this->my_nonce.len == 0)
323 {
324 SIG(IKE_UP_FAILED, "received proposals inacceptable");
325 message->add_notify(message, TRUE, NO_PROPOSAL_CHOSEN, chunk_empty);
326 return FAILED;
327 }
328
329 if (this->diffie_hellman == NULL ||
330 this->diffie_hellman->get_shared_secret(this->diffie_hellman,
331 &secret) != SUCCESS)
332 {
333 chunk_t chunk;
334 u_int16_t dh_enc;
335
336 SIG(IKE_UP_FAILED, "received inacceptable DH group (%N)",
337 diffie_hellman_group_names, this->dh_group);
338 this->dh_group = this->connection->get_dh_group(this->connection);
339 dh_enc = htons(this->dh_group);
340 chunk.ptr = (u_int8_t*)&dh_enc;
341 chunk.len = sizeof(dh_enc);
342 message->add_notify(message, TRUE, INVALID_KE_PAYLOAD, chunk);
343 DBG1(DBG_IKE, "requesting DH group %N",
344 diffie_hellman_group_names, this->dh_group);
345 return FAILED;
346 }
347
348
349 if (this->old_sa)
350 {
351 ike_sa_id_t *id;
352 prf_t *prf, *child_prf;
353
354 /* Apply SPI if we are rekeying */
355 id = this->ike_sa->get_id(this->ike_sa);
356 id->set_initiator_spi(id, this->proposal->get_spi(this->proposal));
357
358 /* setup crypto keys for the rekeyed SA */
359 prf = this->old_sa->get_prf(this->old_sa);
360 child_prf = this->old_sa->get_child_prf(this->old_sa);
361 status = this->ike_sa->derive_keys(this->ike_sa, this->proposal, secret,
362 this->other_nonce, this->my_nonce,
363 FALSE, child_prf, prf);
364 }
365 else
366 {
367 /* setup crypto keys */
368 status = this->ike_sa->derive_keys(this->ike_sa, this->proposal, secret,
369 this->other_nonce, this->my_nonce,
370 FALSE, NULL, NULL);
371 }
372 if (status != SUCCESS)
373 {
374 SIG(IKE_UP_FAILED, "key derivation failed");
375 message->add_notify(message, TRUE, NO_PROPOSAL_CHOSEN, chunk_empty);
376 return FAILED;
377 }
378
379 build_payloads(this, message);
380
381 return SUCCESS;
382 }
383
384 /**
385 * Implementation of task_t.process for initiator
386 */
387 static status_t process_i(private_ike_init_t *this, message_t *message)
388 {
389 chunk_t secret;
390 status_t status;
391 iterator_t *iterator;
392 payload_t *payload;
393
394 /* check for erronous notifies */
395 iterator = message->get_payload_iterator(message);
396 while (iterator->iterate(iterator, (void**)&payload))
397 {
398 if (payload->get_type(payload) == NOTIFY)
399 {
400 notify_payload_t *notify = (notify_payload_t*)payload;
401 notify_type_t type = notify->get_notify_type(notify);
402
403 switch (type)
404 {
405 case INVALID_KE_PAYLOAD:
406 {
407 chunk_t data;
408 diffie_hellman_group_t old_dh_group;
409
410 old_dh_group = this->dh_group;
411 data = notify->get_notification_data(notify);
412 this->dh_group = ntohs(*((u_int16_t*)data.ptr));
413
414 DBG1(DBG_IKE, "peer didn't accept DH group %N, it requested"
415 " %N", diffie_hellman_group_names, old_dh_group,
416 diffie_hellman_group_names, this->dh_group);
417 if (!this->connection->check_dh_group(this->connection,
418 this->dh_group))
419 {
420 DBG1(DBG_IKE, "requested DH group %N not acceptable, "
421 "giving up", diffie_hellman_group_names,
422 this->dh_group);
423 iterator->destroy(iterator);
424 return FAILED;
425 }
426
427 this->ike_sa->reset(this->ike_sa);
428
429 iterator->destroy(iterator);
430 return NEED_MORE;
431 }
432 case NAT_DETECTION_SOURCE_IP:
433 case NAT_DETECTION_DESTINATION_IP:
434 /* skip, handled in ike_natd_t */
435 break;
436 case COOKIE:
437 {
438 chunk_free(&this->cookie);
439 this->cookie = chunk_clone(notify->get_notification_data(notify));
440 this->ike_sa->reset(this->ike_sa);
441 iterator->destroy(iterator);
442 DBG1(DBG_IKE, "received %N notify", notify_type_names, type);
443 return NEED_MORE;
444 }
445 default:
446 {
447 if (type < 16383)
448 {
449 SIG(IKE_UP_FAILED, "received %N notify error",
450 notify_type_names, type);
451 iterator->destroy(iterator);
452 return FAILED;
453 }
454 DBG1(DBG_IKE, "received %N notify",
455 notify_type_names, type);
456 break;
457 }
458 }
459 }
460 }
461 iterator->destroy(iterator);
462
463 process_payloads(this, message);
464
465 /* check if we have everything */
466 if (this->proposal == NULL ||
467 this->other_nonce.len == 0 || this->my_nonce.len == 0)
468 {
469 SIG(IKE_UP_FAILED, "peers proposal selection invalid");
470 return FAILED;
471 }
472
473 if (this->diffie_hellman == NULL ||
474 this->diffie_hellman->get_shared_secret(this->diffie_hellman,
475 &secret) != SUCCESS)
476 {
477 SIG(IKE_UP_FAILED, "peers DH group selection invalid");
478 return FAILED;
479 }
480
481 /* Apply SPI if we are rekeying */
482 if (this->old_sa)
483 {
484 ike_sa_id_t *id;
485 prf_t *prf, *child_prf;
486
487 id = this->ike_sa->get_id(this->ike_sa);
488 id->set_responder_spi(id, this->proposal->get_spi(this->proposal));
489
490 /* setup crypto keys for the rekeyed SA */
491 prf = this->old_sa->get_prf(this->old_sa);
492 child_prf = this->old_sa->get_child_prf(this->old_sa);
493 status = this->ike_sa->derive_keys(this->ike_sa, this->proposal, secret,
494 this->my_nonce, this->other_nonce,
495 TRUE, child_prf, prf);
496 }
497 else
498 {
499 /* setup crypto keys for a new SA */
500 status = this->ike_sa->derive_keys(this->ike_sa, this->proposal, secret,
501 this->my_nonce, this->other_nonce,
502 TRUE, NULL, NULL);
503 }
504 if (status != SUCCESS)
505 {
506 SIG(IKE_UP_FAILED, "key derivation failed");
507 return FAILED;
508 }
509 return SUCCESS;
510 }
511
512 /**
513 * Implementation of task_t.get_type
514 */
515 static task_type_t get_type(private_ike_init_t *this)
516 {
517 return IKE_INIT;
518 }
519
520 /**
521 * Implementation of task_t.get_type
522 */
523 static chunk_t get_lower_nonce(private_ike_init_t *this)
524 {
525 if (memcmp(this->my_nonce.ptr, this->other_nonce.ptr,
526 min(this->my_nonce.len, this->other_nonce.len)) < 0)
527 {
528 return this->my_nonce;
529 }
530 else
531 {
532 return this->other_nonce;
533 }
534 }
535
536 /**
537 * Implementation of task_t.migrate
538 */
539 static void migrate(private_ike_init_t *this, ike_sa_t *ike_sa)
540 {
541 DESTROY_IF(this->proposal);
542 DESTROY_IF(this->diffie_hellman);
543 chunk_free(&this->other_nonce);
544
545 this->ike_sa = ike_sa;
546 this->proposal = NULL;
547 this->diffie_hellman = diffie_hellman_create(this->dh_group);
548 }
549
550 /**
551 * Implementation of task_t.destroy
552 */
553 static void destroy(private_ike_init_t *this)
554 {
555 DESTROY_IF(this->proposal);
556 DESTROY_IF(this->diffie_hellman);
557 chunk_free(&this->my_nonce);
558 chunk_free(&this->other_nonce);
559 chunk_free(&this->cookie);
560 free(this);
561 }
562
563 /*
564 * Described in header.
565 */
566 ike_init_t *ike_init_create(ike_sa_t *ike_sa, bool initiator, ike_sa_t *old_sa)
567 {
568 private_ike_init_t *this = malloc_thing(private_ike_init_t);
569
570 this->public.get_lower_nonce = (chunk_t(*)(ike_init_t*))get_lower_nonce;
571 this->public.task.get_type = (task_type_t(*)(task_t*))get_type;
572 this->public.task.migrate = (void(*)(task_t*,ike_sa_t*))migrate;
573 this->public.task.destroy = (void(*)(task_t*))destroy;
574 if (initiator)
575 {
576 this->public.task.build = (status_t(*)(task_t*,message_t*))build_i;
577 this->public.task.process = (status_t(*)(task_t*,message_t*))process_i;
578 }
579 else
580 {
581 this->public.task.build = (status_t(*)(task_t*,message_t*))build_r;
582 this->public.task.process = (status_t(*)(task_t*,message_t*))process_r;
583 }
584
585 this->ike_sa = ike_sa;
586 this->initiator = initiator;
587 this->dh_group = MODP_NONE;
588 this->diffie_hellman = NULL;
589 this->my_nonce = chunk_empty;
590 this->other_nonce = chunk_empty;
591 this->cookie = chunk_empty;
592 this->proposal = NULL;
593 this->connection = NULL;
594 this->old_sa = old_sa;
595 this->retry = 0;
596
597 return &this->public;
598 }