projects / strongswan.git / blob
? search:


eb9312d2b2d40781170289c75d91f7121002e166
[strongswan.git] / src / libcharon / sa / tasks / quick_mode.c
1 /*
2 * Copyright (C) 2011 Martin Willi
3 * Copyright (C) 2011 revosec AG
4 *
5 * This program is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License as published by the
7 * Free Software Foundation; either version 2 of the License, or (at your
8 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
9 *
10 * This program is distributed in the hope that it will be useful, but
11 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
12 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
13 * for more details.
14 */
15
16 #include "quick_mode.h"
17
18 #include <string.h>
19
20 #include <daemon.h>
21 #include <sa/keymat_v1.h>
22 #include <encoding/payloads/sa_payload.h>
23 #include <encoding/payloads/nonce_payload.h>
24 #include <encoding/payloads/id_payload.h>
25
26 typedef struct private_quick_mode_t private_quick_mode_t;
27
28 /**
29 * Private members of a quick_mode_t task.
30 */
31 struct private_quick_mode_t {
32
33 /**
34 * Public methods and task_t interface.
35 */
36 quick_mode_t public;
37
38 /**
39 * Assigned IKE_SA.
40 */
41 ike_sa_t *ike_sa;
42
43 /**
44 * TRUE if we are initiating quick mode
45 */
46 bool initiator;
47
48 /**
49 * Traffic selector of initiator
50 */
51 traffic_selector_t *tsi;
52
53 /**
54 * Traffic selector of responder
55 */
56 traffic_selector_t *tsr;
57
58 /**
59 * Initiators nonce
60 */
61 chunk_t nonce_i;
62
63 /**
64 * Responder nonce
65 */
66 chunk_t nonce_r;
67
68 /**
69 * Initiators ESP SPI
70 */
71 u_int32_t spi_i;
72
73 /**
74 * Responder ESP SPI
75 */
76 u_int32_t spi_r;
77
78 /**
79 * selected CHILD_SA proposal
80 */
81 proposal_t *proposal;
82
83 /**
84 * Config of CHILD_SA to establish
85 */
86 child_cfg_t *config;
87
88 /**
89 * CHILD_SA we are about to establish
90 */
91 child_sa_t *child_sa;
92
93 /**
94 * IKEv1 keymat
95 */
96 keymat_v1_t *keymat;
97
98 /** states of quick mode */
99 enum {
100 QM_INIT,
101 QM_NEGOTIATED,
102 } state;
103 };
104
105 /**
106 * Install negotiated CHILD_SA
107 */
108 static bool install(private_quick_mode_t *this)
109 {
110 status_t status, status_i, status_o;
111 chunk_t encr_i, encr_r, integ_i, integ_r;
112 linked_list_t *tsi, *tsr;
113
114 this->child_sa->set_proposal(this->child_sa, this->proposal);
115 this->child_sa->set_state(this->child_sa, CHILD_INSTALLING);
116 this->child_sa->set_mode(this->child_sa, MODE_TUNNEL);
117 this->child_sa->set_protocol(this->child_sa,
118 this->proposal->get_protocol(this->proposal));
119
120 status_i = status_o = FAILED;
121 encr_i = encr_r = integ_i = integ_r = chunk_empty;
122 tsi = linked_list_create();
123 tsr = linked_list_create();
124 tsi->insert_last(tsi, this->tsi);
125 tsr->insert_last(tsr, this->tsr);
126 if (this->keymat->derive_child_keys(this->keymat, this->proposal, NULL,
127 this->spi_i, this->spi_r, this->nonce_i, this->nonce_r,
128 &encr_i, &integ_i, &encr_r, &integ_r))
129 {
130 if (this->initiator)
131 {
132 status_i = this->child_sa->install(this->child_sa, encr_r, integ_r,
133 this->spi_i, 0, TRUE, FALSE, tsi, tsr);
134 status_o = this->child_sa->install(this->child_sa, encr_i, integ_i,
135 this->spi_r, 0, FALSE, FALSE, tsi, tsr);
136 }
137 else
138 {
139 status_i = this->child_sa->install(this->child_sa, encr_i, integ_i,
140 this->spi_r, 0, TRUE, FALSE, tsr, tsi);
141 status_o = this->child_sa->install(this->child_sa, encr_r, integ_r,
142 this->spi_i, 0, FALSE, FALSE, tsr, tsi);
143 }
144 }
145 chunk_clear(&integ_i);
146 chunk_clear(&integ_r);
147 chunk_clear(&encr_i);
148 chunk_clear(&encr_r);
149
150 if (status_i != SUCCESS || status_o != SUCCESS)
151 {
152 DBG1(DBG_IKE, "unable to install %s%s%sIPsec SA (SAD) in kernel",
153 (status_i != SUCCESS) ? "inbound " : "",
154 (status_i != SUCCESS && status_o != SUCCESS) ? "and ": "",
155 (status_o != SUCCESS) ? "outbound " : "");
156 tsi->destroy(tsi);
157 tsr->destroy(tsr);
158 return FALSE;
159 }
160
161 if (this->initiator)
162 {
163 status = this->child_sa->add_policies(this->child_sa, tsi, tsr);
164 }
165 else
166 {
167 status = this->child_sa->add_policies(this->child_sa, tsr, tsi);
168 }
169 tsi->destroy(tsi);
170 tsr->destroy(tsr);
171 if (status != SUCCESS)
172 {
173 DBG1(DBG_IKE, "unable to install IPsec policies (SPD) in kernel");
174 return FALSE;
175 }
176
177 charon->bus->child_keys(charon->bus, this->child_sa, this->initiator,
178 NULL, this->nonce_i, this->nonce_r);
179
180 /* add to IKE_SA, and remove from task */
181 this->child_sa->set_state(this->child_sa, CHILD_INSTALLED);
182 this->ike_sa->add_child_sa(this->ike_sa, this->child_sa);
183
184 DBG0(DBG_IKE, "CHILD_SA %s{%d} established "
185 "with SPIs %.8x_i %.8x_o and TS %#R=== %#R",
186 this->child_sa->get_name(this->child_sa),
187 this->child_sa->get_reqid(this->child_sa),
188 ntohl(this->child_sa->get_spi(this->child_sa, TRUE)),
189 ntohl(this->child_sa->get_spi(this->child_sa, FALSE)),
190 this->child_sa->get_traffic_selectors(this->child_sa, TRUE),
191 this->child_sa->get_traffic_selectors(this->child_sa, FALSE));
192
193 charon->bus->child_updown(charon->bus, this->child_sa, TRUE);
194
195 this->child_sa = NULL;
196
197 return TRUE;
198 }
199
200 /**
201 * Generate and add NONCE
202 */
203 static bool add_nonce(private_quick_mode_t *this, chunk_t *nonce,
204 message_t *message)
205 {
206 nonce_payload_t *nonce_payload;
207 rng_t *rng;
208
209 rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
210 if (!rng)
211 {
212 DBG1(DBG_IKE, "no RNG found to create nonce");
213 return FALSE;
214 }
215 rng->allocate_bytes(rng, NONCE_SIZE, nonce);
216 rng->destroy(rng);
217
218 nonce_payload = nonce_payload_create(NONCE_V1);
219 nonce_payload->set_nonce(nonce_payload, *nonce);
220 message->add_payload(message, &nonce_payload->payload_interface);
221
222 return TRUE;
223 }
224
225 /**
226 * Extract nonce from NONCE payload
227 */
228 static bool get_nonce(private_quick_mode_t *this, chunk_t *nonce,
229 message_t *message)
230 {
231 nonce_payload_t *nonce_payload;
232
233 nonce_payload = (nonce_payload_t*)message->get_payload(message, NONCE_V1);
234 if (!nonce_payload)
235 {
236 DBG1(DBG_IKE, "NONCE payload missing in message");
237 return FALSE;
238 }
239 *nonce = nonce_payload->get_nonce(nonce_payload);
240
241 return TRUE;
242 }
243
244 /**
245 * Select a traffic selector from configuration
246 */
247 static traffic_selector_t* select_ts(private_quick_mode_t *this, bool initiator)
248 {
249 traffic_selector_t *ts;
250 linked_list_t *list;
251 host_t *host;
252
253 if (initiator)
254 {
255 host = this->ike_sa->get_my_host(this->ike_sa);
256 }
257 else
258 {
259 host = this->ike_sa->get_other_host(this->ike_sa);
260 }
261 list = this->config->get_traffic_selectors(this->config, initiator,
262 NULL, host);
263 if (list->get_first(list, (void**)&ts) == SUCCESS)
264 {
265 if (list->get_count(list) > 1)
266 {
267 DBG1(DBG_IKE, "configuration has more than one %s traffic selector,"
268 " using first only", initiator ? "initiator" : "responder");
269 }
270 ts = ts->clone(ts);
271 }
272 else
273 {
274 DBG1(DBG_IKE, "%s traffic selector missing in configuration",
275 initiator ? "initiator" : "responder");
276 ts = NULL;
277 }
278 list->destroy_offset(list, offsetof(traffic_selector_t, destroy));
279 return ts;
280 }
281
282 /**
283 * Add selected traffic selectors to message
284 */
285 static void add_ts(private_quick_mode_t *this, message_t *message)
286 {
287 id_payload_t *id_payload;
288 host_t *hsi, *hsr;
289
290 if (this->initiator)
291 {
292 hsi = this->ike_sa->get_my_host(this->ike_sa);
293 hsr = this->ike_sa->get_other_host(this->ike_sa);
294 }
295 else
296 {
297 hsr = this->ike_sa->get_my_host(this->ike_sa);
298 hsi = this->ike_sa->get_other_host(this->ike_sa);
299 }
300 /* add ID payload only if negotiating non host2host tunnels */
301 if (!this->tsi->is_host(this->tsi, hsi) ||
302 !this->tsr->is_host(this->tsr, hsr) ||
303 this->tsi->get_protocol(this->tsi) ||
304 this->tsr->get_protocol(this->tsr) ||
305 this->tsi->get_from_port(this->tsi) ||
306 this->tsr->get_from_port(this->tsr) ||
307 this->tsi->get_to_port(this->tsi) != 65535 ||
308 this->tsr->get_to_port(this->tsr) != 65535)
309 {
310 id_payload = id_payload_create_from_ts(this->tsi);
311 message->add_payload(message, &id_payload->payload_interface);
312 id_payload = id_payload_create_from_ts(this->tsr);
313 message->add_payload(message, &id_payload->payload_interface);
314 }
315 }
316
317 /**
318 * Get traffic selectors from received message
319 */
320 static bool get_ts(private_quick_mode_t *this, message_t *message)
321 {
322 traffic_selector_t *tsi = NULL, *tsr = NULL;
323 enumerator_t *enumerator;
324 id_payload_t *id_payload;
325 payload_t *payload;
326 host_t *hsi, *hsr;
327 bool first = TRUE;
328
329 enumerator = message->create_payload_enumerator(message);
330 while (enumerator->enumerate(enumerator, &payload))
331 {
332 if (payload->get_type(payload) == ID_V1)
333 {
334 id_payload = (id_payload_t*)payload;
335
336 if (first)
337 {
338 tsi = id_payload->get_ts(id_payload);
339 first = FALSE;
340 }
341 else
342 {
343 tsr = id_payload->get_ts(id_payload);
344 break;
345 }
346 }
347 }
348 enumerator->destroy(enumerator);
349
350 /* create host2host selectors if ID payloads missing */
351 if (this->initiator)
352 {
353 hsi = this->ike_sa->get_my_host(this->ike_sa);
354 hsr = this->ike_sa->get_other_host(this->ike_sa);
355 }
356 else
357 {
358 hsr = this->ike_sa->get_my_host(this->ike_sa);
359 hsi = this->ike_sa->get_other_host(this->ike_sa);
360 }
361 if (!tsi)
362 {
363 tsi = traffic_selector_create_from_subnet(hsi->clone(hsi),
364 hsi->get_family(hsi) == AF_INET ? 32 : 128, 0, 0);
365 }
366 if (!tsr)
367 {
368 tsr = traffic_selector_create_from_subnet(hsr->clone(hsr),
369 hsr->get_family(hsr) == AF_INET ? 32 : 128, 0, 0);
370 }
371 if (this->initiator)
372 {
373 /* check if peer selection valid */
374 if (!tsr->is_contained_in(tsr, this->tsr) ||
375 !tsi->is_contained_in(tsi, this->tsi))
376 {
377 DBG1(DBG_IKE, "peer selected invalid traffic selectors: ",
378 "%R for %R, %R for %R", tsi, this->tsi, tsr, this->tsr);
379 tsi->destroy(tsi);
380 tsr->destroy(tsr);
381 return FALSE;
382 }
383 this->tsi->destroy(this->tsi);
384 this->tsr->destroy(this->tsr);
385 this->tsi = tsi;
386 this->tsr = tsr;
387 }
388 else
389 {
390 this->tsi = tsi;
391 this->tsr = tsr;
392 }
393 return TRUE;
394 }
395
396 METHOD(task_t, build_i, status_t,
397 private_quick_mode_t *this, message_t *message)
398 {
399 switch (this->state)
400 {
401 case QM_INIT:
402 {
403 enumerator_t *enumerator;
404 sa_payload_t *sa_payload;
405 linked_list_t *list;
406 proposal_t *proposal;
407
408 this->child_sa = child_sa_create(
409 this->ike_sa->get_my_host(this->ike_sa),
410 this->ike_sa->get_other_host(this->ike_sa),
411 this->config, 0, FALSE);
412
413 list = this->config->get_proposals(this->config, TRUE);
414
415 this->spi_i = this->child_sa->alloc_spi(this->child_sa, PROTO_ESP);
416 if (!this->spi_i)
417 {
418 DBG1(DBG_IKE, "allocating SPI from kernel failed");
419 return FAILED;
420 }
421 enumerator = list->create_enumerator(list);
422 while (enumerator->enumerate(enumerator, &proposal))
423 {
424 proposal->set_spi(proposal, this->spi_i);
425 }
426 enumerator->destroy(enumerator);
427
428 sa_payload = sa_payload_create_from_proposal_list(
429 SECURITY_ASSOCIATION_V1, list);
430 list->destroy_offset(list, offsetof(proposal_t, destroy));
431 message->add_payload(message, &sa_payload->payload_interface);
432
433 if (!add_nonce(this, &this->nonce_i, message))
434 {
435 return FAILED;
436 }
437 this->tsi = select_ts(this, TRUE);
438 this->tsr = select_ts(this, FALSE);
439 if (!this->tsi || !this->tsr)
440 {
441 return FAILED;
442 }
443 add_ts(this, message);
444 return NEED_MORE;
445 }
446 case QM_NEGOTIATED:
447 {
448 return SUCCESS;
449 }
450 default:
451 return FAILED;
452 }
453 }
454
455 METHOD(task_t, process_r, status_t,
456 private_quick_mode_t *this, message_t *message)
457 {
458 switch (this->state)
459 {
460 case QM_INIT:
461 {
462 sa_payload_t *sa_payload;
463 linked_list_t *tsi, *tsr, *list;
464 peer_cfg_t *peer_cfg;
465 host_t *me, *other;
466
467 if (!get_ts(this, message))
468 {
469 return FAILED;
470 }
471 me = this->ike_sa->get_virtual_ip(this->ike_sa, TRUE);
472 if (!me)
473 {
474 me = this->ike_sa->get_my_host(this->ike_sa);
475 }
476 other = this->ike_sa->get_virtual_ip(this->ike_sa, FALSE);
477 if (!other)
478 {
479 other = this->ike_sa->get_other_host(this->ike_sa);
480 }
481 peer_cfg = this->ike_sa->get_peer_cfg(this->ike_sa);
482 tsi = linked_list_create();
483 tsr = linked_list_create();
484 tsi->insert_last(tsi, this->tsi);
485 tsr->insert_last(tsr, this->tsr);
486 this->config = peer_cfg->select_child_cfg(peer_cfg, tsr, tsi,
487 me, other);
488 tsi->destroy(tsi);
489 tsr->destroy(tsr);
490 if (!this->config)
491 {
492 DBG1(DBG_IKE, "no child config found");
493 return FAILED;
494 }
495
496 sa_payload = (sa_payload_t*)message->get_payload(message,
497 SECURITY_ASSOCIATION_V1);
498 if (!sa_payload)
499 {
500 DBG1(DBG_IKE, "sa payload missing");
501 return FAILED;
502 }
503 list = sa_payload->get_proposals(sa_payload);
504 this->proposal = this->config->select_proposal(this->config,
505 list, TRUE, FALSE);
506 list->destroy_offset(list, offsetof(proposal_t, destroy));
507 if (!this->proposal)
508 {
509 DBG1(DBG_IKE, "no matching proposal found");
510 return FAILED;
511 }
512 this->spi_i = this->proposal->get_spi(this->proposal);
513
514 if (!get_nonce(this, &this->nonce_i, message))
515 {
516 return FAILED;
517 }
518 this->child_sa = child_sa_create(
519 this->ike_sa->get_my_host(this->ike_sa),
520 this->ike_sa->get_other_host(this->ike_sa),
521 this->config, 0, FALSE);
522 return NEED_MORE;
523 }
524 case QM_NEGOTIATED:
525 {
526 if (!install(this))
527 {
528 return FAILED;
529 }
530 return SUCCESS;
531 }
532 default:
533 return FAILED;
534 }
535 }
536
537 METHOD(task_t, build_r, status_t,
538 private_quick_mode_t *this, message_t *message)
539 {
540 switch (this->state)
541 {
542 case QM_INIT:
543 {
544 sa_payload_t *sa_payload;
545
546 this->spi_r = this->child_sa->alloc_spi(this->child_sa, PROTO_ESP);
547 if (!this->spi_r)
548 {
549 DBG1(DBG_IKE, "allocating SPI from kernel failed");
550 return FAILED;
551 }
552 this->proposal->set_spi(this->proposal, this->spi_r);
553
554 sa_payload = sa_payload_create_from_proposal(
555 SECURITY_ASSOCIATION_V1, this->proposal);
556 message->add_payload(message, &sa_payload->payload_interface);
557
558 if (!add_nonce(this, &this->nonce_r, message))
559 {
560 return FAILED;
561 }
562 add_ts(this, message);
563
564 this->state = QM_NEGOTIATED;
565 return NEED_MORE;
566 }
567 default:
568 return FAILED;
569 }
570 }
571
572 METHOD(task_t, process_i, status_t,
573 private_quick_mode_t *this, message_t *message)
574 {
575 switch (this->state)
576 {
577 case QM_INIT:
578 {
579 sa_payload_t *sa_payload;
580 linked_list_t *list;
581
582 sa_payload = (sa_payload_t*)message->get_payload(message,
583 SECURITY_ASSOCIATION_V1);
584 if (!sa_payload)
585 {
586 DBG1(DBG_IKE, "sa payload missing");
587 return FAILED;
588 }
589 list = sa_payload->get_proposals(sa_payload);
590 this->proposal = this->config->select_proposal(this->config,
591 list, TRUE, FALSE);
592 list->destroy_offset(list, offsetof(proposal_t, destroy));
593 if (!this->proposal)
594 {
595 DBG1(DBG_IKE, "no matching proposal found");
596 return FAILED;
597 }
598 this->spi_r = this->proposal->get_spi(this->proposal);
599
600 if (!get_nonce(this, &this->nonce_r, message))
601 {
602 return FAILED;
603 }
604 if (!get_ts(this, message))
605 {
606 return FAILED;
607 }
608 if (!install(this))
609 {
610 return FAILED;
611 }
612 this->state = QM_NEGOTIATED;
613 return NEED_MORE;
614 }
615 default:
616 return FAILED;
617 }
618 }
619
620 METHOD(task_t, get_type, task_type_t,
621 private_quick_mode_t *this)
622 {
623 return TASK_QUICK_MODE;
624 }
625
626 METHOD(task_t, migrate, void,
627 private_quick_mode_t *this, ike_sa_t *ike_sa)
628 {
629 this->ike_sa = ike_sa;
630 }
631
632 METHOD(task_t, destroy, void,
633 private_quick_mode_t *this)
634 {
635 chunk_free(&this->nonce_i);
636 chunk_free(&this->nonce_r);
637 DESTROY_IF(this->tsi);
638 DESTROY_IF(this->tsr);
639 DESTROY_IF(this->proposal);
640 DESTROY_IF(this->child_sa);
641 DESTROY_IF(this->config);
642 free(this);
643 }
644
645 /*
646 * Described in header.
647 */
648 quick_mode_t *quick_mode_create(ike_sa_t *ike_sa, child_cfg_t *config,
649 traffic_selector_t *tsi, traffic_selector_t *tsr)
650 {
651 private_quick_mode_t *this;
652
653 INIT(this,
654 .public = {
655 .task = {
656 .get_type = _get_type,
657 .migrate = _migrate,
658 .destroy = _destroy,
659 },
660 },
661 .ike_sa = ike_sa,
662 .initiator = config != NULL,
663 .config = config,
664 .keymat = (keymat_v1_t*)ike_sa->get_keymat(ike_sa),
665 .state = QM_INIT,
666 );
667
668 if (config)
669 {
670 this->public.task.build = _build_i;
671 this->public.task.process = _process_i;
672 }
673 else
674 {
675 this->public.task.build = _build_r;
676 this->public.task.process = _process_r;
677 }
678
679 return &this->public;
680 }
strongSwan - IPsec VPN