projects / strongswan.git / blob
? search:


f5927671454aebb04afe88d6aa63216c723e1e9d
[strongswan.git] / src / libcharon / sa / tasks / main_mode.c
1 /*
2 * Copyright (C) 2011 Tobias Brunner
3 * Hochschule fuer Technik Rapperswil
4 *
5 * Copyright (C) 2011 Martin Willi
6 * Copyright (C) 2011 revosec AG
7 *
8 * This program is free software; you can redistribute it and/or modify it
9 * under the terms of the GNU General Public License as published by the
10 * Free Software Foundation; either version 2 of the License, or (at your
11 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
12 *
13 * This program is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
15 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
16 * for more details.
17 */
18
19 #include "main_mode.h"
20
21 #include <string.h>
22
23 #include <daemon.h>
24 #include <sa/keymat_v1.h>
25 #include <crypto/diffie_hellman.h>
26 #include <encoding/payloads/sa_payload.h>
27 #include <encoding/payloads/ke_payload.h>
28 #include <encoding/payloads/nonce_payload.h>
29 #include <encoding/payloads/id_payload.h>
30 #include <encoding/payloads/hash_payload.h>
31
32 typedef struct private_main_mode_t private_main_mode_t;
33
34 /**
35 * Private members of a main_mode_t task.
36 */
37 struct private_main_mode_t {
38
39 /**
40 * Public methods and task_t interface.
41 */
42 main_mode_t public;
43
44 /**
45 * Assigned IKE_SA.
46 */
47 ike_sa_t *ike_sa;
48
49 /**
50 * Are we the initiator?
51 */
52 bool initiator;
53
54 /**
55 * IKE config to establish
56 */
57 ike_cfg_t *ike_cfg;
58
59 /**
60 * Peer config to use
61 */
62 peer_cfg_t *peer_cfg;
63
64 /**
65 * Local authentication configuration
66 */
67 auth_cfg_t *my_auth;
68
69 /**
70 * Remote authentication configuration
71 */
72 auth_cfg_t *other_auth;
73
74 /**
75 * selected IKE proposal
76 */
77 proposal_t *proposal;
78
79 /**
80 * DH exchange
81 */
82 diffie_hellman_t *dh;
83
84 /**
85 * Keymat derivation (from SA)
86 */
87 keymat_v1_t *keymat;
88
89 /**
90 * Received public DH value from peer
91 */
92 chunk_t dh_value;
93
94 /**
95 * Initiators nonce
96 */
97 chunk_t nonce_i;
98
99 /**
100 * Responder nonce
101 */
102 chunk_t nonce_r;
103
104 /**
105 * Encoded SA initiator payload used for authentication
106 */
107 chunk_t sa_payload;
108
109 /** states of main mode */
110 enum {
111 MM_INIT,
112 MM_SA,
113 MM_KE,
114 MM_AUTH,
115 } state;
116 };
117
118 /**
119 * Get the first authentcation config from peer config
120 */
121 static auth_cfg_t *get_auth_cfg(private_main_mode_t *this, bool local)
122 {
123 enumerator_t *enumerator;
124 auth_cfg_t *cfg = NULL;
125
126 enumerator = this->peer_cfg->create_auth_cfg_enumerator(this->peer_cfg,
127 local);
128 enumerator->enumerate(enumerator, &cfg);
129 enumerator->destroy(enumerator);
130 return cfg;
131 }
132
133 /**
134 * Save the encoded SA payload of a message
135 */
136 static bool save_sa_payload(private_main_mode_t *this, message_t *message)
137 {
138 enumerator_t *enumerator;
139 payload_t *payload, *sa = NULL;
140 chunk_t data;
141 size_t offset = IKE_HEADER_LENGTH;
142
143 enumerator = message->create_payload_enumerator(message);
144 while (enumerator->enumerate(enumerator, &payload))
145 {
146 if (payload->get_type(payload) == SECURITY_ASSOCIATION_V1)
147 {
148 sa = payload;
149 break;
150 }
151 else
152 {
153 offset += payload->get_length(payload);
154 }
155 }
156 enumerator->destroy(enumerator);
157
158 data = message->get_packet_data(message);
159 if (sa && data.len >= offset + sa->get_length(sa))
160 {
161 /* Get SA payload without 4 byte fixed header */
162 data = chunk_skip(data, offset);
163 data.len = sa->get_length(sa);
164 data = chunk_skip(data, 4);
165 this->sa_payload = chunk_clone(data);
166 return TRUE;
167 }
168 return FALSE;
169 }
170
171 /**
172 * Build main mode hash payloads
173 */
174 static void build_hash(private_main_mode_t *this, bool initiator,
175 message_t *message, identification_t *id)
176 {
177 hash_payload_t *hash_payload;
178 chunk_t hash, dh;
179
180 this->dh->get_my_public_value(this->dh, &dh);
181 hash = this->keymat->get_hash(this->keymat, initiator, dh, this->dh_value,
182 this->ike_sa->get_id(this->ike_sa), this->sa_payload, id);
183 free(dh.ptr);
184
185 hash_payload = hash_payload_create();
186 hash_payload->set_hash(hash_payload, hash);
187 free(hash.ptr);
188
189 message->add_payload(message, &hash_payload->payload_interface);
190 }
191
192 /**
193 * Verify main mode hash payload
194 */
195 static bool verify_hash(private_main_mode_t *this, bool initiator,
196 message_t *message, identification_t *id)
197 {
198 hash_payload_t *hash_payload;
199 chunk_t hash, dh;
200 bool equal;
201
202 hash_payload = (hash_payload_t*)message->get_payload(message,
203 HASH_V1);
204 if (!hash_payload)
205 {
206 DBG1(DBG_IKE, "HASH payload missing in message");
207 return FALSE;
208 }
209 hash = hash_payload->get_hash(hash_payload);
210 this->dh->get_my_public_value(this->dh, &dh);
211 hash = this->keymat->get_hash(this->keymat, initiator, this->dh_value, dh,
212 this->ike_sa->get_id(this->ike_sa), this->sa_payload, id);
213 free(dh.ptr);
214 equal = chunk_equals(hash, hash_payload->get_hash(hash_payload));
215 free(hash.ptr);
216 if (!equal)
217 {
218 DBG1(DBG_IKE, "calculated HASH does not match HASH payload");
219 }
220 return equal;
221 }
222
223 /**
224 * Generate and add NONCE, KE payload
225 */
226 static bool add_nonce_ke(private_main_mode_t *this, chunk_t *nonce,
227 message_t *message)
228 {
229 nonce_payload_t *nonce_payload;
230 ke_payload_t *ke_payload;
231 rng_t *rng;
232
233 ke_payload = ke_payload_create_from_diffie_hellman(KEY_EXCHANGE_V1,
234 this->dh);
235 message->add_payload(message, &ke_payload->payload_interface);
236
237 rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
238 if (!rng)
239 {
240 DBG1(DBG_IKE, "no RNG found to create nonce");
241 return FALSE;
242 }
243 rng->allocate_bytes(rng, NONCE_SIZE, nonce);
244 rng->destroy(rng);
245
246 nonce_payload = nonce_payload_create(NONCE_V1);
247 nonce_payload->set_nonce(nonce_payload, *nonce);
248 message->add_payload(message, &nonce_payload->payload_interface);
249
250 return TRUE;
251 }
252
253 /**
254 * Extract nonce from NONCE payload, process KE payload
255 */
256 static bool get_nonce_ke(private_main_mode_t *this, chunk_t *nonce,
257 message_t *message)
258 {
259 nonce_payload_t *nonce_payload;
260 ke_payload_t *ke_payload;
261
262 ke_payload = (ke_payload_t*)message->get_payload(message, KEY_EXCHANGE_V1);
263 if (!ke_payload)
264 {
265 DBG1(DBG_IKE, "KE payload missing in message");
266 return FALSE;
267 }
268 this->dh_value = chunk_clone(ke_payload->get_key_exchange_data(ke_payload));
269 this->dh->set_other_public_value(this->dh, this->dh_value);
270
271 nonce_payload = (nonce_payload_t*)message->get_payload(message, NONCE_V1);
272 if (!nonce_payload)
273 {
274 DBG1(DBG_IKE, "NONCE payload missing in message");
275 return FALSE;
276 }
277 *nonce = nonce_payload->get_nonce(nonce_payload);
278
279 return TRUE;
280 }
281
282 METHOD(task_t, build_i, status_t,
283 private_main_mode_t *this, message_t *message)
284 {
285 switch (this->state)
286 {
287 case MM_INIT:
288 {
289 sa_payload_t *sa_payload;
290 linked_list_t *proposals;
291 packet_t *packet;
292
293 this->ike_cfg = this->ike_sa->get_ike_cfg(this->ike_sa);
294 DBG0(DBG_IKE, "initiating IKE_SA %s[%d] to %H",
295 this->ike_sa->get_name(this->ike_sa),
296 this->ike_sa->get_unique_id(this->ike_sa),
297 this->ike_sa->get_other_host(this->ike_sa));
298 this->ike_sa->set_state(this->ike_sa, IKE_CONNECTING);
299
300 proposals = this->ike_cfg->get_proposals(this->ike_cfg);
301
302 sa_payload = sa_payload_create_from_proposal_list(
303 SECURITY_ASSOCIATION_V1, proposals);
304 proposals->destroy_offset(proposals, offsetof(proposal_t, destroy));
305
306 message->add_payload(message, &sa_payload->payload_interface);
307
308 /* pregenerate message to store SA payload */
309 if (this->ike_sa->generate_message(this->ike_sa, message,
310 &packet) != SUCCESS)
311 {
312 DBG1(DBG_IKE, "pregenerating SA payload failed");
313 return FAILED;
314 }
315 packet->destroy(packet);
316 if (!save_sa_payload(this, message))
317 {
318 DBG1(DBG_IKE, "SA payload invalid");
319 return FAILED;
320 }
321
322 this->state = MM_SA;
323 return NEED_MORE;
324 }
325 case MM_SA:
326 {
327 u_int16_t group;
328
329 if (!this->proposal->get_algorithm(this->proposal,
330 DIFFIE_HELLMAN_GROUP, &group, NULL))
331 {
332 DBG1(DBG_IKE, "DH group selection failed");
333 return FAILED;
334 }
335 this->dh = this->keymat->keymat.create_dh(&this->keymat->keymat,
336 group);
337 if (!this->dh)
338 {
339 DBG1(DBG_IKE, "negotiated DH group not supported");
340 return FAILED;
341 }
342 if (!add_nonce_ke(this, &this->nonce_i, message))
343 {
344 return FAILED;
345 }
346 this->state = MM_KE;
347 return NEED_MORE;
348 }
349 case MM_KE:
350 {
351 id_payload_t *id_payload;
352 identification_t *id;
353
354 this->peer_cfg = this->ike_sa->get_peer_cfg(this->ike_sa);
355 this->peer_cfg->get_ref(this->peer_cfg);
356
357 this->my_auth = get_auth_cfg(this, TRUE);
358 this->other_auth = get_auth_cfg(this, FALSE);
359 if (!this->my_auth || !this->other_auth)
360 {
361 DBG1(DBG_CFG, "no auth config found");
362 return FAILED;
363 }
364 id = this->my_auth->get(this->my_auth, AUTH_RULE_IDENTITY);
365 if (!id)
366 {
367 DBG1(DBG_CFG, "own identity not known");
368 return FAILED;
369 }
370
371 this->ike_sa->set_my_id(this->ike_sa, id->clone(id));
372
373 id_payload = id_payload_create_from_identification(ID_V1, id);
374 message->add_payload(message, &id_payload->payload_interface);
375
376 build_hash(this, TRUE, message, id);
377
378 this->state = MM_AUTH;
379 return NEED_MORE;
380 }
381 default:
382 return FAILED;
383 }
384 }
385
386 METHOD(task_t, process_r, status_t,
387 private_main_mode_t *this, message_t *message)
388 {
389 switch (this->state)
390 {
391 case MM_INIT:
392 {
393 linked_list_t *list;
394 sa_payload_t *sa_payload;
395
396 this->ike_cfg = this->ike_sa->get_ike_cfg(this->ike_sa);
397 DBG0(DBG_IKE, "%H is initiating a Main Mode",
398 message->get_source(message));
399 this->ike_sa->set_state(this->ike_sa, IKE_CONNECTING);
400
401 this->ike_sa->update_hosts(this->ike_sa,
402 message->get_destination(message),
403 message->get_source(message), TRUE);
404
405 sa_payload = (sa_payload_t*)message->get_payload(message,
406 SECURITY_ASSOCIATION_V1);
407 if (!sa_payload || !save_sa_payload(this, message))
408 {
409 DBG1(DBG_IKE, "SA payload missing or invalid");
410 return FAILED;
411 }
412
413 list = sa_payload->get_proposals(sa_payload);
414 this->proposal = this->ike_cfg->select_proposal(this->ike_cfg,
415 list, FALSE);
416 list->destroy_offset(list, offsetof(proposal_t, destroy));
417 if (!this->proposal)
418 {
419 DBG1(DBG_IKE, "no proposal found");
420 return FAILED;
421 }
422 this->state = MM_SA;
423 return NEED_MORE;
424 }
425 case MM_SA:
426 {
427 u_int16_t group;
428
429 if (!this->proposal->get_algorithm(this->proposal,
430 DIFFIE_HELLMAN_GROUP, &group, NULL))
431 {
432 DBG1(DBG_IKE, "DH group selection failed");
433 return FAILED;
434 }
435 this->dh = lib->crypto->create_dh(lib->crypto, group);
436 if (!this->dh)
437 {
438 DBG1(DBG_IKE, "negotiated DH group not supported");
439 return FAILED;
440 }
441 if (!get_nonce_ke(this, &this->nonce_i, message))
442 {
443 return FAILED;
444 }
445 this->state = MM_KE;
446 return NEED_MORE;
447 }
448 case MM_KE:
449 {
450 enumerator_t *enumerator;
451 id_payload_t *id_payload;
452 identification_t *id, *any;
453
454 id_payload = (id_payload_t*)message->get_payload(message, ID_V1);
455 if (!id_payload)
456 {
457 DBG1(DBG_IKE, "IDii payload missing");
458 return FAILED;
459 }
460
461 id = id_payload->get_identification(id_payload);
462 any = identification_create_from_encoding(ID_ANY, chunk_empty);
463 enumerator = charon->backends->create_peer_cfg_enumerator(
464 charon->backends,
465 this->ike_sa->get_my_host(this->ike_sa),
466 this->ike_sa->get_other_host(this->ike_sa),
467 any, id);
468 if (!enumerator->enumerate(enumerator, &this->peer_cfg))
469 {
470 DBG1(DBG_IKE, "no peer config found");
471 id->destroy(id);
472 any->destroy(any);
473 enumerator->destroy(enumerator);
474 return FAILED;
475 }
476 this->peer_cfg->get_ref(this->peer_cfg);
477 enumerator->destroy(enumerator);
478 any->destroy(any);
479
480 this->ike_sa->set_other_id(this->ike_sa, id);
481
482 this->ike_sa->set_peer_cfg(this->ike_sa, this->peer_cfg);
483
484 this->my_auth = get_auth_cfg(this, TRUE);
485 this->other_auth = get_auth_cfg(this, FALSE);
486 if (!this->my_auth || !this->other_auth)
487 {
488 DBG1(DBG_IKE, "auth config missing");
489 return FAILED;
490 }
491
492 if (!verify_hash(this, TRUE, message, id))
493 {
494 return FAILED;
495 }
496
497 this->state = MM_AUTH;
498 return NEED_MORE;
499 }
500 default:
501 return FAILED;
502 }
503 }
504
505 /**
506 * Lookup a shared secret for this IKE_SA
507 */
508 static shared_key_t *lookup_shared_key(private_main_mode_t *this)
509 {
510 host_t *me, *other;
511 identification_t *my_id, *other_id;
512 shared_key_t *shared_key;
513
514 me = this->ike_sa->get_my_host(this->ike_sa);
515 other = this->ike_sa->get_other_host(this->ike_sa);
516 my_id = identification_create_from_sockaddr(me->get_sockaddr(me));
517 other_id = identification_create_from_sockaddr(other->get_sockaddr(other));
518 if (!my_id || !other_id)
519 {
520 DESTROY_IF(my_id);
521 DESTROY_IF(other_id);
522 return NULL;
523 }
524 shared_key = lib->credmgr->get_shared(lib->credmgr, SHARED_IKE, my_id,
525 other_id);
526 if (!shared_key)
527 {
528 DBG1(DBG_IKE, "no shared key found for %H - %H", me, other);
529 }
530 my_id->destroy(my_id);
531 other_id->destroy(other_id);
532 return shared_key;
533 }
534
535 /**
536 * Derive key material for this IKE_SA
537 */
538 static bool derive_keys(private_main_mode_t *this, chunk_t nonce_i,
539 chunk_t nonce_r)
540 {
541 ike_sa_id_t *id = this->ike_sa->get_id(this->ike_sa);
542 shared_key_t *shared_key = NULL;
543 auth_class_t auth;
544
545 /* TODO-IKEv1: support other authentication classes */
546 auth = AUTH_CLASS_PSK;
547 switch (auth)
548 {
549 case AUTH_CLASS_PSK:
550 shared_key = lookup_shared_key(this);
551 break;
552 default:
553 break;
554 }
555 if (!this->keymat->derive_ike_keys(this->keymat, this->proposal, this->dh,
556 this->dh_value, nonce_i, nonce_r, id, auth, shared_key))
557 {
558 DESTROY_IF(shared_key);
559 return FALSE;
560 }
561 DESTROY_IF(shared_key);
562 charon->bus->ike_keys(charon->bus, this->ike_sa, this->dh, nonce_i, nonce_r,
563 NULL);
564 return TRUE;
565 }
566
567 METHOD(task_t, build_r, status_t,
568 private_main_mode_t *this, message_t *message)
569 {
570 switch (this->state)
571 {
572 case MM_SA:
573 {
574 sa_payload_t *sa_payload;
575
576 sa_payload = sa_payload_create_from_proposal(SECURITY_ASSOCIATION_V1,
577 this->proposal);
578 message->add_payload(message, &sa_payload->payload_interface);
579
580 return NEED_MORE;
581 }
582 case MM_KE:
583 {
584 if (!add_nonce_ke(this, &this->nonce_r, message))
585 {
586 return FAILED;
587 }
588 if (!derive_keys(this, this->nonce_i, this->nonce_r))
589 {
590 DBG1(DBG_IKE, "key derivation failed");
591 return FAILED;
592 }
593 return NEED_MORE;
594 }
595 case MM_AUTH:
596 {
597 id_payload_t *id_payload;
598 identification_t *id;
599
600 id = this->my_auth->get(this->my_auth, AUTH_RULE_IDENTITY);
601 if (!id)
602 {
603 DBG1(DBG_CFG, "own identity not known");
604 return FAILED;
605 }
606
607 this->ike_sa->set_my_id(this->ike_sa, id->clone(id));
608
609 id_payload = id_payload_create_from_identification(ID_V1, id);
610 message->add_payload(message, &id_payload->payload_interface);
611
612 build_hash(this, FALSE, message, id);
613
614 DBG0(DBG_IKE, "IKE_SA %s[%d] established between %H[%Y]...%H[%Y]",
615 this->ike_sa->get_name(this->ike_sa),
616 this->ike_sa->get_unique_id(this->ike_sa),
617 this->ike_sa->get_my_host(this->ike_sa),
618 this->ike_sa->get_my_id(this->ike_sa),
619 this->ike_sa->get_other_host(this->ike_sa),
620 this->ike_sa->get_other_id(this->ike_sa));
621 this->ike_sa->set_state(this->ike_sa, IKE_ESTABLISHED);
622 charon->bus->ike_updown(charon->bus, this->ike_sa, TRUE);
623
624 /* TODO-IKEv1: Check the proposal for XAuthInit* auth modes */
625 /* TODO-IKEv1: check for XAUTH rounds, queue them */
626 if(0) /* TODO-IKEv1: Change to 1 if XAUTH is desired. */
627 return MIGRATE;
628 return SUCCESS;
629 }
630 default:
631 return FAILED;
632 }
633 }
634
635 METHOD(task_t, process_i, status_t,
636 private_main_mode_t *this, message_t *message)
637 {
638 switch (this->state)
639 {
640 case MM_SA:
641 {
642 linked_list_t *list;
643 sa_payload_t *sa_payload;
644
645 sa_payload = (sa_payload_t*)message->get_payload(message,
646 SECURITY_ASSOCIATION_V1);
647 if (!sa_payload)
648 {
649 DBG1(DBG_IKE, "SA payload missing");
650 return FAILED;
651 }
652 list = sa_payload->get_proposals(sa_payload);
653 this->proposal = this->ike_cfg->select_proposal(this->ike_cfg,
654 list, FALSE);
655 list->destroy_offset(list, offsetof(proposal_t, destroy));
656 if (!this->proposal)
657 {
658 DBG1(DBG_IKE, "no proposal found");
659 return FAILED;
660 }
661 return NEED_MORE;
662 }
663 case MM_KE:
664 {
665 if (!get_nonce_ke(this, &this->nonce_r, message))
666 {
667 return FAILED;
668 }
669 if (!derive_keys(this, this->nonce_i, this->nonce_r))
670 {
671 DBG1(DBG_IKE, "key derivation failed");
672 return FAILED;
673 }
674 return NEED_MORE;
675 }
676 case MM_AUTH:
677 {
678 id_payload_t *id_payload;
679 identification_t *id;
680
681 id_payload = (id_payload_t*)message->get_payload(message, ID_V1);
682 if (!id_payload)
683 {
684 DBG1(DBG_IKE, "IDir payload missing");
685 return FAILED;
686 }
687 id = id_payload->get_identification(id_payload);
688 if (!id->matches(id, this->other_auth->get(this->other_auth,
689 AUTH_RULE_IDENTITY)))
690 {
691 DBG1(DBG_IKE, "IDir does not match");
692 id->destroy(id);
693 return FAILED;
694 }
695 this->ike_sa->set_other_id(this->ike_sa, id);
696
697 if (!verify_hash(this, FALSE, message, id))
698 {
699 return FAILED;
700 }
701
702 /* TODO-IKEv1: check for XAUTH rounds, queue them */
703 DBG0(DBG_IKE, "IKE_SA %s[%d] established between %H[%Y]...%H[%Y]",
704 this->ike_sa->get_name(this->ike_sa),
705 this->ike_sa->get_unique_id(this->ike_sa),
706 this->ike_sa->get_my_host(this->ike_sa),
707 this->ike_sa->get_my_id(this->ike_sa),
708 this->ike_sa->get_other_host(this->ike_sa),
709 this->ike_sa->get_other_id(this->ike_sa));
710 this->ike_sa->set_state(this->ike_sa, IKE_ESTABLISHED);
711 charon->bus->ike_updown(charon->bus, this->ike_sa, TRUE);
712 return SUCCESS;
713 }
714 default:
715 return FAILED;
716 }
717 }
718
719 METHOD(task_t, get_type, task_type_t,
720 private_main_mode_t *this)
721 {
722 return TASK_MAIN_MODE;
723 }
724
725 METHOD(task_t, migrate, void,
726 private_main_mode_t *this, ike_sa_t *ike_sa)
727 {
728 this->ike_sa = ike_sa;
729 }
730
731 METHOD(task_t, destroy, void,
732 private_main_mode_t *this)
733 {
734 DESTROY_IF(this->peer_cfg);
735 DESTROY_IF(this->proposal);
736 DESTROY_IF(this->dh);
737 free(this->dh_value.ptr);
738 free(this->nonce_i.ptr);
739 free(this->nonce_r.ptr);
740 free(this->sa_payload.ptr);
741 free(this);
742 }
743
744 /*
745 * Described in header.
746 */
747 main_mode_t *main_mode_create(ike_sa_t *ike_sa, bool initiator)
748 {
749 private_main_mode_t *this;
750
751 INIT(this,
752 .public = {
753 .task = {
754 .get_type = _get_type,
755 .migrate = _migrate,
756 .destroy = _destroy,
757 },
758 },
759 .ike_sa = ike_sa,
760 .keymat = (keymat_v1_t*)ike_sa->get_keymat(ike_sa),
761 .initiator = initiator,
762 .state = MM_INIT,
763 );
764
765 if (initiator)
766 {
767 this->public.task.build = _build_i;
768 this->public.task.process = _process_i;
769 }
770 else
771 {
772 this->public.task.build = _build_r;
773 this->public.task.process = _process_r;
774 }
775
776 return &this->public;
777 }
strongSwan - IPsec VPN