- cleanup of states ike_auth_requested and ike_sa_init_responded
This commit is contained in:
parent
1c7d92a7f6
commit
283dbcc590
|
@ -86,7 +86,7 @@
|
|||
* This is the maximum allowed level for ever context, the definiton
|
||||
* of the context may be less verbose.
|
||||
*/
|
||||
#define DEFAULT_LOGLEVEL CONTROL | ERROR
|
||||
#define DEFAULT_LOGLEVEL CONTROL | ERROR | AUDIT
|
||||
|
||||
|
||||
typedef struct daemon_t daemon_t;
|
||||
|
|
|
@ -844,6 +844,45 @@ static status_t send_response (private_ike_sa_t *this,message_t * message)
|
|||
return SUCCESS;
|
||||
}
|
||||
|
||||
/**
|
||||
* Implementation of of private_responder_init_t.send_notify_reply.
|
||||
*/
|
||||
static void send_notify(private_ike_sa_t *this, exchange_type_t exchange_type, notify_message_type_t type, chunk_t data)
|
||||
{
|
||||
notify_payload_t *payload;
|
||||
message_t *response;
|
||||
packet_t *packet;
|
||||
status_t status;
|
||||
|
||||
this->logger->log(this->logger, CONTROL|LEVEL2, "Going to build message with notify payload");
|
||||
/* set up the reply */
|
||||
this->protected.build_message(&(this->protected), exchange_type, FALSE, &response);
|
||||
payload = notify_payload_create_from_protocol_and_type(IKE,type);
|
||||
if ((data.ptr != NULL) && (data.len > 0))
|
||||
{
|
||||
this->logger->log(this->logger, CONTROL|LEVEL2, "Add Data to notify payload");
|
||||
payload->set_notification_data(payload,data);
|
||||
}
|
||||
|
||||
this->logger->log(this->logger, CONTROL|LEVEL2, "Add Notify payload to message");
|
||||
response->add_payload(response,(payload_t *) payload);
|
||||
|
||||
/* generate packet */
|
||||
this->logger->log(this->logger, CONTROL|LEVEL2, "Gnerate packet from message");
|
||||
status = response->generate(response, this->crypter_responder, this->signer_responder, &packet);
|
||||
if (status != SUCCESS)
|
||||
{
|
||||
this->logger->log(this->logger, ERROR|LEVEL1, "Could not generate notify message");
|
||||
response->destroy(response);
|
||||
return;
|
||||
}
|
||||
|
||||
this->logger->log(this->logger, CONTROL|LEVEL2, "Add packet to global send queue");
|
||||
charon->send_queue->add(charon->send_queue, packet);
|
||||
this->logger->log(this->logger, CONTROL|LEVEL2, "Destroy message");
|
||||
response->destroy(response);
|
||||
}
|
||||
|
||||
/**
|
||||
* Implementation of protected_ike_sa_t.set_last_replied_message_id.
|
||||
*/
|
||||
|
@ -1050,6 +1089,7 @@ ike_sa_t * ike_sa_create(ike_sa_id_t *ike_sa_id)
|
|||
this->protected.get_randomizer = (randomizer_t *(*) (protected_ike_sa_t *)) get_randomizer;
|
||||
this->protected.send_request = (status_t (*) (protected_ike_sa_t *,message_t *)) send_request;
|
||||
this->protected.send_response = (status_t (*) (protected_ike_sa_t *,message_t *)) send_response;
|
||||
this->protected.send_notify = (void (*)(protected_ike_sa_t*,exchange_type_t,notify_message_type_t,chunk_t)) send_notify;
|
||||
this->protected.create_transforms_from_proposal = (status_t (*) (protected_ike_sa_t *,ike_proposal_t *)) create_transforms_from_proposal;
|
||||
this->protected.set_new_state = (void (*) (protected_ike_sa_t *,state_t *)) set_new_state;
|
||||
this->protected.get_crypter_initiator = (crypter_t *(*) (protected_ike_sa_t *)) get_crypter_initiator;
|
||||
|
|
|
@ -288,6 +288,16 @@ struct protected_ike_sa_t {
|
|||
* - FAILED if message id is not next expected one
|
||||
*/
|
||||
status_t (*send_response) (protected_ike_sa_t *this,message_t * message);
|
||||
|
||||
/**
|
||||
* @brief Send a notify reply message.
|
||||
*
|
||||
* @param this calling object
|
||||
* @param exchange_type type of exchange in which the notify should be wrapped
|
||||
* @param type type of the notify message to send
|
||||
* @param data notification data
|
||||
*/
|
||||
void (*send_notify) (protected_ike_sa_t *this, exchange_type_t exchange_type, notify_message_type_t type, chunk_t data);
|
||||
|
||||
/**
|
||||
* @brief Get the internal stored randomizer_t object.
|
||||
|
|
|
@ -123,7 +123,18 @@ struct private_ike_auth_requested_t {
|
|||
* - DELETE_ME
|
||||
*/
|
||||
status_t (*process_ts_payload) (private_ike_auth_requested_t *this, bool ts_initiator, ts_payload_t *ts_payload);
|
||||
|
||||
|
||||
/**
|
||||
* Process a notify payload
|
||||
*
|
||||
* @param this calling object
|
||||
* @param ts_initiator TRUE if TS payload is TSi, FALSE for TSr
|
||||
* @param ts_payload TS payload of responder
|
||||
*
|
||||
* - SUCCESS
|
||||
* - DELETE_ME
|
||||
*/
|
||||
status_t (*process_notify_payload) (private_ike_auth_requested_t *this, notify_payload_t *notify_payload);
|
||||
};
|
||||
|
||||
|
||||
|
@ -132,14 +143,15 @@ struct private_ike_auth_requested_t {
|
|||
*/
|
||||
static status_t process_message(private_ike_auth_requested_t *this, message_t *ike_auth_reply)
|
||||
{
|
||||
ts_payload_t *tsi_payload, *tsr_payload;
|
||||
ts_payload_t *tsi_payload = NULL, *tsr_payload = NULL;
|
||||
id_payload_t *idr_payload = NULL;
|
||||
auth_payload_t *auth_payload;
|
||||
sa_payload_t *sa_payload;
|
||||
iterator_t *payloads;
|
||||
crypter_t *crypter;
|
||||
signer_t *signer;
|
||||
auth_payload_t *auth_payload = NULL;
|
||||
sa_payload_t *sa_payload = NULL;
|
||||
iterator_t *payloads = NULL;
|
||||
crypter_t *crypter = NULL;
|
||||
signer_t *signer = NULL;
|
||||
status_t status;
|
||||
host_t *my_host, *other_host;
|
||||
|
||||
if (ike_auth_reply->get_exchange_type(ike_auth_reply) != IKE_AUTH)
|
||||
{
|
||||
|
@ -150,7 +162,7 @@ static status_t process_message(private_ike_auth_requested_t *this, message_t *i
|
|||
|
||||
if (ike_auth_reply->get_request(ike_auth_reply))
|
||||
{
|
||||
this->logger->log(this->logger, ERROR | LEVEL1, "Only responses of type IKE_AUTH supported in state ike_auth_requested");
|
||||
this->logger->log(this->logger, ERROR | LEVEL1, "IKE_AUTH requests not allowed state ike_sa_init_responded");
|
||||
return FAILED;
|
||||
}
|
||||
|
||||
|
@ -162,13 +174,15 @@ static status_t process_message(private_ike_auth_requested_t *this, message_t *i
|
|||
status = ike_auth_reply->parse_body(ike_auth_reply, crypter, signer);
|
||||
if (status != SUCCESS)
|
||||
{
|
||||
this->logger->log(this->logger, ERROR | LEVEL1, "Could not parse body of request message");
|
||||
this->logger->log(this->logger, AUDIT, "IKE_AUTH reply decryption faild. Ignoring message");
|
||||
return status;
|
||||
}
|
||||
|
||||
this->sa_config = this->ike_sa->get_sa_config(this->ike_sa);
|
||||
|
||||
/* iterate over incoming payloads. Message is verified, we can be sure there are the required payloads */
|
||||
/* we collect all payloads, which are processed later. Notify's are processed
|
||||
* in place, since we don't know how may are there.
|
||||
*/
|
||||
payloads = ike_auth_reply->get_payload_iterator(ike_auth_reply);
|
||||
while (payloads->has_next(payloads))
|
||||
{
|
||||
|
@ -192,11 +206,6 @@ static status_t process_message(private_ike_auth_requested_t *this, message_t *i
|
|||
sa_payload = (sa_payload_t*)payload;
|
||||
break;
|
||||
}
|
||||
case CERTIFICATE:
|
||||
{
|
||||
/* TODO handle cert payloads */
|
||||
break;
|
||||
}
|
||||
case TRAFFIC_SELECTOR_INITIATOR:
|
||||
{
|
||||
tsi_payload = (ts_payload_t*)payload;
|
||||
|
@ -210,116 +219,73 @@ static status_t process_message(private_ike_auth_requested_t *this, message_t *i
|
|||
case NOTIFY:
|
||||
{
|
||||
notify_payload_t *notify_payload = (notify_payload_t *) payload;
|
||||
|
||||
|
||||
this->logger->log(this->logger, CONTROL|LEVEL1, "Process notify type %s for protocol %s",
|
||||
mapping_find(notify_message_type_m, notify_payload->get_notify_message_type(notify_payload)),
|
||||
mapping_find(protocol_id_m, notify_payload->get_protocol_id(notify_payload)));
|
||||
|
||||
if (notify_payload->get_protocol_id(notify_payload) != IKE)
|
||||
/* handle the notify directly, abort if no further processing required */
|
||||
status = this->process_notify_payload(this, notify_payload);
|
||||
if (status != SUCCESS)
|
||||
{
|
||||
this->logger->log(this->logger, ERROR | LEVEL1, "Notify reply not for IKE protocol");
|
||||
payloads->destroy(payloads);
|
||||
return DELETE_ME;
|
||||
}
|
||||
|
||||
switch (notify_payload->get_notify_message_type(notify_payload))
|
||||
{
|
||||
case INVALID_SYNTAX:
|
||||
{
|
||||
this->logger->log(this->logger, ERROR, "Going to destroy IKE_SA");
|
||||
payloads->destroy(payloads);
|
||||
return DELETE_ME;
|
||||
|
||||
}
|
||||
case AUTHENTICATION_FAILED:
|
||||
{
|
||||
this->logger->log(this->logger, ERROR, "Keys invalid?. Going to destroy IKE_SA");
|
||||
payloads->destroy(payloads);
|
||||
return DELETE_ME;
|
||||
|
||||
}
|
||||
case SINGLE_PAIR_REQUIRED:
|
||||
{
|
||||
this->logger->log(this->logger, ERROR, "Please reconfigure CHILD_SA. Going to destroy IKE_SA");
|
||||
payloads->destroy(payloads);
|
||||
return DELETE_ME;
|
||||
}
|
||||
default:
|
||||
{
|
||||
/*
|
||||
* - In case of unknown error: IKE_SA gets destroyed.
|
||||
* - In case of unknown status: logging
|
||||
*
|
||||
*/
|
||||
notify_message_type_t notify_message_type = notify_payload->get_notify_message_type(notify_payload);
|
||||
if (notify_message_type < 16383)
|
||||
{
|
||||
this->logger->log(this->logger, ERROR, "Notify error type %d not recognized in state IKE_AUTH_REQUESTED.",
|
||||
notify_message_type);
|
||||
payloads->destroy(payloads);
|
||||
return DELETE_ME;
|
||||
|
||||
}
|
||||
else
|
||||
{
|
||||
this->logger->log(this->logger, ERROR, "Notify status type %d not handled in state IKE_AUTH_REQUESTED.",
|
||||
notify_message_type);
|
||||
break;
|
||||
}
|
||||
}
|
||||
return status;
|
||||
}
|
||||
}
|
||||
case CERTIFICATE:
|
||||
{
|
||||
/* TODO handle cert payloads */
|
||||
}
|
||||
default:
|
||||
{
|
||||
this->logger->log(this->logger, ERROR, "Payload id %d not handled in state IKE_AUTH_REQUESTED", payload->get_type(payload));
|
||||
this->logger->log(this->logger, ERROR|LEVEL1, "Ignoring Payload %s (%d)",
|
||||
mapping_find(payload_type_m, payload->get_type(payload)), payload->get_type(payload));
|
||||
break;
|
||||
}
|
||||
}
|
||||
}
|
||||
/* iterator can be destroyed */
|
||||
payloads->destroy(payloads);
|
||||
|
||||
/* check if we have all payloads */
|
||||
if (!(idr_payload && sa_payload && auth_payload && tsi_payload && tsr_payload))
|
||||
{
|
||||
this->logger->log(this->logger, AUDIT, "IKE_AUTH reply did not contain all required payloads. Deleting IKE_SA");
|
||||
return DELETE_ME;
|
||||
}
|
||||
|
||||
/* process all payloads */
|
||||
status = this->process_idr_payload(this, idr_payload);
|
||||
if (status != SUCCESS)
|
||||
{
|
||||
this->logger->log(this->logger, ERROR, "Processing idr payload failed");
|
||||
return status;
|
||||
}
|
||||
status = this->process_sa_payload(this, sa_payload);
|
||||
if (status != SUCCESS)
|
||||
{
|
||||
this->logger->log(this->logger, ERROR, "Processing sa payload failed");
|
||||
return status;
|
||||
}
|
||||
status = this->process_auth_payload(this, auth_payload,idr_payload);
|
||||
if (status != SUCCESS)
|
||||
{
|
||||
this->logger->log(this->logger, ERROR, "Processing auth payload failed");
|
||||
return status;
|
||||
}
|
||||
status = this->process_ts_payload(this, TRUE, tsi_payload);
|
||||
if (status != SUCCESS)
|
||||
{
|
||||
this->logger->log(this->logger, ERROR, "Processing tsi payload failed");
|
||||
return status;
|
||||
}
|
||||
status = this->process_ts_payload(this, FALSE, tsr_payload);
|
||||
if (status != SUCCESS)
|
||||
{
|
||||
this->logger->log(this->logger, ERROR, "Processing tsr payload failed");
|
||||
return status;
|
||||
}
|
||||
|
||||
this->ike_sa->set_last_replied_message_id(this->ike_sa,ike_auth_reply->get_message_id(ike_auth_reply));
|
||||
this->logger->log(this->logger, CONTROL | LEVEL1, "IKE_AUTH response successfully handled. IKE_SA established.");
|
||||
|
||||
/* create new state */
|
||||
this->ike_sa->set_new_state(this->ike_sa, (state_t*)ike_sa_established_create(this->ike_sa));
|
||||
this->ike_sa->create_delete_established_ike_sa_job(this->ike_sa,this->sa_config->get_ike_sa_lifetime(this->sa_config));
|
||||
|
||||
this->public.state_interface.destroy(&(this->public.state_interface));
|
||||
|
||||
my_host = this->ike_sa->get_my_host(this->ike_sa);
|
||||
other_host = this->ike_sa->get_other_host(this->ike_sa);
|
||||
this->logger->log(this->logger, AUDIT, "IKE_SA established between %s - %s",
|
||||
my_host->get_address(my_host), other_host->get_address(other_host));
|
||||
return SUCCESS;
|
||||
}
|
||||
|
||||
|
@ -335,20 +301,20 @@ static status_t process_idr_payload(private_ike_auth_requested_t *this, id_paylo
|
|||
configured_other_id = this->sa_config->get_other_id(this->sa_config);
|
||||
if (configured_other_id)
|
||||
{
|
||||
this->logger->log(this->logger, CONTROL, "configured ID: %s, ID of responder: %s",
|
||||
this->logger->log(this->logger, CONTROL|LEVEL1, "configured ID: %s, ID of responder: %s",
|
||||
configured_other_id->get_string(configured_other_id),
|
||||
other_id->get_string(other_id));
|
||||
|
||||
if (!other_id->equals(other_id, configured_other_id))
|
||||
{
|
||||
other_id->destroy(other_id);
|
||||
this->logger->log(this->logger, ERROR, "IKE_AUTH reply didn't contain requested id");
|
||||
this->logger->log(this->logger, AUDIT, "IKE_AUTH reply contained a not requested ID. Deleting IKE_SA");
|
||||
return DELETE_ME;
|
||||
}
|
||||
}
|
||||
|
||||
other_id->destroy(other_id);
|
||||
/* TODO do we have to store other_id somewhere ? */
|
||||
/* TODO do we have to store other_id somewhere ? */
|
||||
return SUCCESS;
|
||||
}
|
||||
|
||||
|
@ -369,20 +335,21 @@ static status_t process_sa_payload(private_ike_auth_requested_t *this, sa_payloa
|
|||
status = sa_payload->get_child_proposals(sa_payload, &proposals, &proposal_count);
|
||||
if (status != SUCCESS)
|
||||
{
|
||||
this->logger->log(this->logger, ERROR, "responders sa payload contained no proposals");
|
||||
return DELETE_ME;
|
||||
/* there are no proposals. This is possible if the requester doesn't want to setup a child sa */
|
||||
this->logger->log(this->logger, CONTROL, "Responders SA_PAYLOAD contained no proposals, no CHILD_SA is built");
|
||||
return SUCCESS;
|
||||
}
|
||||
if (proposal_count > 1)
|
||||
{
|
||||
this->logger->log(this->logger, AUDIT, "IKE_AUTH reply's SA_PAYLOAD contained more than one proposal. Deleting IKE_SA");
|
||||
allocator_free(proposals);
|
||||
this->logger->log(this->logger, ERROR, "responders sa payload contained more than one proposal");
|
||||
return DELETE_ME;
|
||||
}
|
||||
|
||||
proposal_chosen = this->sa_config->select_proposal(this->sa_config, ah_spi, esp_spi, proposals, proposal_count);
|
||||
if (proposal_chosen == NULL)
|
||||
{
|
||||
this->logger->log(this->logger, ERROR, "responder selected an not offered proposal");
|
||||
this->logger->log(this->logger, AUDIT, "IKE_AUTH reply contained a not offered proposal. Deleting IKE_SA");
|
||||
allocator_free(proposals);
|
||||
return DELETE_ME;
|
||||
}
|
||||
|
@ -404,18 +371,16 @@ static status_t process_auth_payload(private_ike_auth_requested_t *this, auth_pa
|
|||
authenticator_t *authenticator;
|
||||
status_t status;
|
||||
|
||||
/* TODO VERIFY auth here */
|
||||
authenticator = authenticator_create(this->ike_sa);
|
||||
|
||||
status = authenticator->verify_auth_data(authenticator,auth_payload,this->ike_sa_init_reply_data,this->sent_nonce,other_id_payload,FALSE);
|
||||
authenticator->destroy(authenticator);
|
||||
if (status != SUCCESS)
|
||||
{
|
||||
this->logger->log(this->logger, ERROR, "Could not verify AUTH data. Error status: %s",mapping_find(status_m,status));
|
||||
this->logger->log(this->logger, AUDIT, "Verification of IKE_AUTH reply failed. Deleting IKE_SA");
|
||||
return DELETE_ME;
|
||||
}
|
||||
|
||||
this->logger->log(this->logger, CONTROL | LEVEL1, "AUTH data verified");
|
||||
this->logger->log(this->logger, CONTROL|LEVEL1, "AUTH data verified successfully");
|
||||
return SUCCESS;
|
||||
}
|
||||
|
||||
|
@ -442,7 +407,7 @@ static status_t process_ts_payload(private_ike_auth_requested_t *this, bool ts_i
|
|||
/* check if the responder selected valid proposals */
|
||||
if (ts_selected_count != ts_received_count)
|
||||
{
|
||||
this->logger->log(this->logger, ERROR, "responder selected invalid traffic selectors");
|
||||
this->logger->log(this->logger, AUDIT, "IKE_AUTH reply contained not offered traffic selectors. Deleting IKE_SA");
|
||||
status = DELETE_ME;
|
||||
}
|
||||
|
||||
|
@ -461,6 +426,66 @@ static status_t process_ts_payload(private_ike_auth_requested_t *this, bool ts_i
|
|||
allocator_free(ts_selected);
|
||||
return status;
|
||||
}
|
||||
|
||||
/**
|
||||
* Implements private_ike_auth_requested_t.process_notify_payload
|
||||
*/
|
||||
static status_t process_notify_payload(private_ike_auth_requested_t *this, notify_payload_t *notify_payload)
|
||||
{
|
||||
notify_message_type_t notify_message_type = notify_payload->get_notify_message_type(notify_payload);
|
||||
|
||||
this->logger->log(this->logger, CONTROL|LEVEL1, "Process notify type %s for protocol %s",
|
||||
mapping_find(notify_message_type_m, notify_message_type),
|
||||
mapping_find(protocol_id_m, notify_payload->get_protocol_id(notify_payload)));
|
||||
|
||||
if (notify_payload->get_protocol_id(notify_payload) != IKE)
|
||||
{
|
||||
this->logger->log(this->logger, AUDIT, "IKE_AUTH reply contained a notify for an invalid protocol. Deleting IKE_SA");
|
||||
return DELETE_ME;
|
||||
}
|
||||
|
||||
switch (notify_message_type)
|
||||
{
|
||||
case INVALID_SYNTAX:
|
||||
{
|
||||
this->logger->log(this->logger, AUDIT, "IKE_AUTH reply contained an INVALID_SYNTAX notify. Deleting IKE_SA");
|
||||
return DELETE_ME;
|
||||
|
||||
}
|
||||
case AUTHENTICATION_FAILED:
|
||||
{
|
||||
this->logger->log(this->logger, AUDIT, "IKE_AUTH reply contained an AUTHENTICATION_FAILED notify. Deleting IKE_SA");
|
||||
return DELETE_ME;
|
||||
|
||||
}
|
||||
case SINGLE_PAIR_REQUIRED:
|
||||
{
|
||||
this->logger->log(this->logger, AUDIT, "IKE_AUTH reply contained a SINGLE_PAIR_REQUIRED notify. Deleting IKE_SA");
|
||||
return DELETE_ME;
|
||||
}
|
||||
default:
|
||||
{
|
||||
/*
|
||||
* - In case of unknown error: IKE_SA gets destroyed.
|
||||
* - In case of unknown status: logging
|
||||
*/
|
||||
|
||||
if (notify_message_type < 16383)
|
||||
{
|
||||
this->logger->log(this->logger, AUDIT, "IKE_AUTH reply contained an unknown notify error (%d). Deleting IKE_SA",
|
||||
notify_message_type);
|
||||
return DELETE_ME;
|
||||
|
||||
}
|
||||
else
|
||||
{
|
||||
this->logger->log(this->logger, AUDIT, "IKE_AUTH reply contained an unknown notify (%d), ignored.", notify_message_type);
|
||||
return SUCCESS;
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Implements state_t.get_state
|
||||
*/
|
||||
|
@ -498,6 +523,7 @@ ike_auth_requested_t *ike_auth_requested_create(protected_ike_sa_t *ike_sa,chunk
|
|||
this->process_sa_payload = process_sa_payload;
|
||||
this->process_auth_payload = process_auth_payload;
|
||||
this->process_ts_payload = process_ts_payload;
|
||||
this->process_notify_payload = process_notify_payload;
|
||||
|
||||
/* private data */
|
||||
this->ike_sa = ike_sa;
|
||||
|
|
|
@ -39,6 +39,10 @@ typedef struct ike_auth_requested_t ike_auth_requested_t;
|
|||
* @ Constructors:
|
||||
* - ike_auth_requested_create()
|
||||
*
|
||||
* @todo handle certificate payloads
|
||||
*
|
||||
* @todo setup child SAs, if requested
|
||||
*
|
||||
* @ingroup states
|
||||
*/
|
||||
struct ike_auth_requested_t {
|
||||
|
@ -55,7 +59,7 @@ struct ike_auth_requested_t {
|
|||
* @param ike_sa assigned ike_sa object
|
||||
* @param sent_nonce Sent nonce value in IKE_SA_INIT request
|
||||
* @param received_nonce Received nonce value in IKE_SA_INIT response
|
||||
* @param ike_sa_init_reply_data binary representation of IKE_SA_INIT reply
|
||||
* @param ike_sa_init_reply_data binary representation of IKE_SA_INIT reply
|
||||
* @return created ike_auth_requested_t object
|
||||
*
|
||||
* @ingroup states
|
||||
|
|
|
@ -32,6 +32,15 @@ typedef struct ike_sa_established_t ike_sa_established_t;
|
|||
* @brief This class represents an the state of an established
|
||||
* IKE_SA.
|
||||
*
|
||||
* @b Constructors:
|
||||
* - ike_sa_established_create()
|
||||
*
|
||||
* @todo Implement handling of CREATE_CHILD_SA requests
|
||||
*
|
||||
* @todo Implement initialization of CREATE_CHILD_SA requests
|
||||
*
|
||||
* @todo Implement handling of any other message
|
||||
*
|
||||
* @ingroup states
|
||||
*/
|
||||
struct ike_sa_established_t {
|
||||
|
@ -43,7 +52,7 @@ struct ike_sa_established_t {
|
|||
};
|
||||
|
||||
/**
|
||||
* Constructor of class ike_sa_established_t
|
||||
* @brief Constructor of class ike_sa_established_t
|
||||
*
|
||||
* @param ike_sa assigned ike_sa
|
||||
* @return created ike_sa_established_t object
|
||||
|
|
|
@ -133,10 +133,12 @@ struct private_ike_sa_init_responded_t {
|
|||
* Sends a IKE_AUTH reply containing a notify payload.
|
||||
*
|
||||
* @param this calling object
|
||||
* @param type type of notify message
|
||||
* @param data data of notify message
|
||||
* @param notify_payload payload to process
|
||||
* @return
|
||||
* - DELETE_ME if IKE_SA should be deleted
|
||||
* - SUCCSS if processed successfull
|
||||
*/
|
||||
void (*send_notify_reply) (private_ike_sa_init_responded_t *this,notify_message_type_t type, chunk_t data);
|
||||
status_t (*process_notify_payload) (private_ike_sa_init_responded_t *this, notify_payload_t* notify_payload);
|
||||
};
|
||||
|
||||
/**
|
||||
|
@ -144,15 +146,16 @@ struct private_ike_sa_init_responded_t {
|
|||
*/
|
||||
static status_t process_message(private_ike_sa_init_responded_t *this, message_t *request)
|
||||
{
|
||||
id_payload_t *idi_request, *idr_request = NULL,*idr_response;
|
||||
ts_payload_t *tsi_request, *tsr_request;
|
||||
auth_payload_t *auth_request;
|
||||
sa_payload_t *sa_request;
|
||||
id_payload_t *idi_request = NULL, *idr_request = NULL,*idr_response;
|
||||
ts_payload_t *tsi_request = NULL, *tsr_request = NULL;
|
||||
auth_payload_t *auth_request = NULL;
|
||||
sa_payload_t *sa_request = NULL;
|
||||
iterator_t *payloads;
|
||||
message_t *response;
|
||||
crypter_t *crypter;
|
||||
signer_t *signer;
|
||||
status_t status;
|
||||
host_t *my_host, *other_host;
|
||||
|
||||
|
||||
if (request->get_exchange_type(request) != IKE_AUTH)
|
||||
|
@ -164,7 +167,7 @@ static status_t process_message(private_ike_sa_init_responded_t *this, message_t
|
|||
|
||||
if (!request->get_request(request))
|
||||
{
|
||||
this->logger->log(this->logger, ERROR | LEVEL1, "Only requests of type IKE_AUTH supported in state ike_sa_init_responded");
|
||||
this->logger->log(this->logger, ERROR | LEVEL1, "IKE_AUTH responses not allowed state ike_sa_init_responded");
|
||||
return FAILED;
|
||||
}
|
||||
|
||||
|
@ -177,16 +180,14 @@ static status_t process_message(private_ike_sa_init_responded_t *this, message_t
|
|||
{
|
||||
if (status == NOT_SUPPORTED)
|
||||
{
|
||||
this->logger->log(this->logger, ERROR | LEVEL1, "Message contains unsupported payload with critical flag set");
|
||||
/**
|
||||
* TODO send unsupported type.
|
||||
*/
|
||||
this->send_notify_reply(this,UNSUPPORTED_CRITICAL_PAYLOAD,CHUNK_INITIALIZER);
|
||||
this->logger->log(this->logger, ERROR | LEVEL1, "IKE_AUTH request contains unsupported payload with critical flag set."
|
||||
"Deleting IKE_SA");
|
||||
this->ike_sa->send_notify(this->ike_sa, IKE_AUTH, UNSUPPORTED_CRITICAL_PAYLOAD, CHUNK_INITIALIZER);
|
||||
return DELETE_ME;
|
||||
}
|
||||
else
|
||||
{
|
||||
this->logger->log(this->logger, ERROR | LEVEL1, "Could not parse body of request message");
|
||||
this->logger->log(this->logger, AUDIT, "IKE_AUTH request decryption faild. Ignoring message");
|
||||
}
|
||||
return status;
|
||||
}
|
||||
|
@ -220,18 +221,7 @@ static status_t process_message(private_ike_sa_init_responded_t *this, message_t
|
|||
sa_request = (sa_payload_t*)payload;
|
||||
break;
|
||||
}
|
||||
case CERTIFICATE:
|
||||
{
|
||||
/* TODO handle cert payloads */
|
||||
this->logger->log(this->logger, ERROR | LEVEL1, "Payload type CERTIFICATE currently not supported and so not handled");
|
||||
break;
|
||||
}
|
||||
case CERTIFICATE_REQUEST:
|
||||
{
|
||||
/* TODO handle certrequest payloads */
|
||||
this->logger->log(this->logger, ERROR | LEVEL1, "Payload type CERTIFICATE_REQUEST currently not supported and so not handled");
|
||||
break;
|
||||
}
|
||||
|
||||
case TRAFFIC_SELECTOR_INITIATOR:
|
||||
{
|
||||
tsi_request = (ts_payload_t*)payload;
|
||||
|
@ -245,45 +235,38 @@ static status_t process_message(private_ike_sa_init_responded_t *this, message_t
|
|||
case NOTIFY:
|
||||
{
|
||||
notify_payload_t *notify_payload = (notify_payload_t *) payload;
|
||||
|
||||
this->logger->log(this->logger, CONTROL|LEVEL1, "Process notify type %s for protocol %s",
|
||||
mapping_find(notify_message_type_m, notify_payload->get_notify_message_type(notify_payload)),
|
||||
mapping_find(protocol_id_m, notify_payload->get_protocol_id(notify_payload)));
|
||||
|
||||
if (notify_payload->get_protocol_id(notify_payload) != IKE)
|
||||
status = this->process_notify_payload(this, notify_payload);
|
||||
if (status != SUCCESS)
|
||||
{
|
||||
this->logger->log(this->logger, ERROR | LEVEL1, "Notify not for IKE protocol.");
|
||||
payloads->destroy(payloads);
|
||||
return DELETE_ME;
|
||||
return status;
|
||||
}
|
||||
switch (notify_payload->get_notify_message_type(notify_payload))
|
||||
{
|
||||
case SET_WINDOW_SIZE:
|
||||
/*
|
||||
* TODO Increase window size.
|
||||
*/
|
||||
case INITIAL_CONTACT:
|
||||
/*
|
||||
* TODO Delete existing IKE_SA's with other Identity.
|
||||
*/
|
||||
default:
|
||||
{
|
||||
this->logger->log(this->logger, CONTROL|LEVEL1, "Handling of notify type %s not implemented",
|
||||
notify_payload->get_notify_message_type(notify_payload));
|
||||
}
|
||||
}
|
||||
|
||||
break;
|
||||
}
|
||||
case CERTIFICATE:
|
||||
{
|
||||
/* TODO handle cert payloads */
|
||||
}
|
||||
case CERTIFICATE_REQUEST:
|
||||
{
|
||||
/* TODO handle certrequest payloads */
|
||||
}
|
||||
default:
|
||||
{
|
||||
this->logger->log(this->logger, ERROR, "Payload ID %d not handled in state IKE_AUTH_RESPONDED!", payload->get_type(payload));
|
||||
this->logger->log(this->logger, ERROR|LEVEL1, "Ignoring Payload %s (%d)",
|
||||
mapping_find(payload_type_m, payload->get_type(payload)), payload->get_type(payload));
|
||||
break;
|
||||
}
|
||||
}
|
||||
}
|
||||
/* iterator can be destroyed */
|
||||
payloads->destroy(payloads);
|
||||
|
||||
/* check if we have all payloads */
|
||||
if (!(idi_request && sa_request && auth_request && tsi_request && tsr_request))
|
||||
{
|
||||
this->logger->log(this->logger, AUDIT, "IKE_AUTH reply did not contain all required payloads. Deleting IKE_SA");
|
||||
return DELETE_ME;
|
||||
}
|
||||
|
||||
/* build response */
|
||||
this->ike_sa->build_message(this->ike_sa, IKE_AUTH, FALSE, &response);
|
||||
|
@ -293,46 +276,39 @@ static status_t process_message(private_ike_sa_init_responded_t *this, message_t
|
|||
status = this->build_idr_payload(this, idi_request, idr_request, response,&idr_response);
|
||||
if (status != SUCCESS)
|
||||
{
|
||||
this->logger->log(this->logger, ERROR, "Building IDr payload failed");
|
||||
response->destroy(response);
|
||||
return status;
|
||||
}
|
||||
status = this->build_sa_payload(this, sa_request, response);
|
||||
if (status != SUCCESS)
|
||||
{
|
||||
this->logger->log(this->logger, ERROR, "Building SA payload failed");
|
||||
response->destroy(response);
|
||||
return status;
|
||||
}
|
||||
status = this->build_auth_payload(this, auth_request,idi_request, idr_response,response);
|
||||
if (status != SUCCESS)
|
||||
{
|
||||
this->logger->log(this->logger, ERROR, "Building AUTH payload failed");
|
||||
response->destroy(response);
|
||||
return status;
|
||||
}
|
||||
status = this->build_ts_payload(this, TRUE, tsi_request, response);
|
||||
if (status != SUCCESS)
|
||||
{
|
||||
this->logger->log(this->logger, ERROR, "Building TSi payload failed");
|
||||
response->destroy(response);
|
||||
return status;
|
||||
}
|
||||
status = this->build_ts_payload(this, FALSE, tsr_request, response);
|
||||
if (status != SUCCESS)
|
||||
{
|
||||
this->logger->log(this->logger, ERROR, "Building TSr payload failed");
|
||||
response->destroy(response);
|
||||
return status;
|
||||
}
|
||||
|
||||
this->logger->log(this->logger, CONTROL | LEVEL1, "IKE_AUTH request successfully handled. Sending reply.");
|
||||
status = this->ike_sa->send_response(this->ike_sa, response);
|
||||
|
||||
/* message can now be sent (must not be destroyed) */
|
||||
if (status != SUCCESS)
|
||||
{
|
||||
this->logger->log(this->logger, ERROR, "Could not send response message");
|
||||
this->logger->log(this->logger, AUDIT, "Unable to send IKE_AUTH reply. Deleting IKE_SA");
|
||||
response->destroy(response);
|
||||
return DELETE_ME;
|
||||
}
|
||||
|
@ -340,8 +316,12 @@ static status_t process_message(private_ike_sa_init_responded_t *this, message_t
|
|||
/* create new state */
|
||||
this->ike_sa->set_new_state(this->ike_sa, (state_t*)ike_sa_established_create(this->ike_sa));
|
||||
this->ike_sa->create_delete_established_ike_sa_job(this->ike_sa,this->sa_config->get_ike_sa_lifetime(this->sa_config));
|
||||
|
||||
this->public.state_interface.destroy(&(this->public.state_interface));
|
||||
|
||||
my_host = this->ike_sa->get_my_host(this->ike_sa);
|
||||
other_host = this->ike_sa->get_other_host(this->ike_sa);
|
||||
this->logger->log(this->logger, AUDIT, "IKE_SA established between %s - %s",
|
||||
my_host->get_address(my_host), other_host->get_address(other_host));
|
||||
|
||||
return SUCCESS;
|
||||
}
|
||||
|
@ -365,20 +345,28 @@ static status_t build_idr_payload(private_ike_sa_init_responded_t *this, id_payl
|
|||
/* build new sa config */
|
||||
init_config = this->ike_sa->get_init_config(this->ike_sa);
|
||||
status = charon->configuration_manager->get_sa_config_for_init_config_and_id(charon->configuration_manager,init_config, other_id,my_id, &(this->sa_config));
|
||||
other_id->destroy(other_id);
|
||||
if (status != SUCCESS)
|
||||
{
|
||||
if (my_id)
|
||||
{
|
||||
this->logger->log(this->logger, AUDIT, "IKE_AUTH request uses IDs %s to %s, which we have no config for",
|
||||
other_id->get_string(other_id),my_id->get_string(my_id));
|
||||
my_id->destroy(my_id);
|
||||
}
|
||||
else
|
||||
{
|
||||
this->logger->log(this->logger, AUDIT, "IKE_AUTH request uses ID %s, which we have no config for",
|
||||
other_id->get_string(other_id));
|
||||
}
|
||||
other_id->destroy(other_id);
|
||||
return DELETE_ME;
|
||||
}
|
||||
|
||||
if (my_id)
|
||||
{
|
||||
my_id->destroy(my_id);
|
||||
}
|
||||
if (status != SUCCESS)
|
||||
{
|
||||
this->logger->log(this->logger, ERROR, "Could not find config for %s", other_id->get_string(other_id));
|
||||
if (my_id)
|
||||
{
|
||||
my_id->destroy(my_id);
|
||||
}
|
||||
return DELETE_ME;
|
||||
}
|
||||
other_id->destroy(other_id);
|
||||
|
||||
/* get my id, if not requested */
|
||||
my_id = this->sa_config->get_my_id(this->sa_config);
|
||||
|
@ -419,16 +407,16 @@ static status_t build_sa_payload(private_ike_sa_init_responded_t *this, sa_paylo
|
|||
}
|
||||
else
|
||||
{
|
||||
this->logger->log(this->logger, ERROR, "no matching proposal found");
|
||||
this->send_notify_reply(this,NO_PROPOSAL_CHOSEN,CHUNK_INITIALIZER);
|
||||
this->logger->log(this->logger, AUDIT, "IKE_AUTH request did not contain any proposals we accept. Deleting IKE_SA");
|
||||
this->ike_sa->send_notify(this->ike_sa, IKE_AUTH, NO_PROPOSAL_CHOSEN, CHUNK_INITIALIZER);
|
||||
status = DELETE_ME;
|
||||
}
|
||||
}
|
||||
else
|
||||
{
|
||||
this->logger->log(this->logger, ERROR, "requestor's sa payload contained no proposals");
|
||||
this->send_notify_reply(this,NO_PROPOSAL_CHOSEN,CHUNK_INITIALIZER);
|
||||
status = DELETE_ME;
|
||||
this->logger->log(this->logger, AUDIT, "IKE_AUH request did not contain any proposals. Deleting IKE_SA");
|
||||
this->ike_sa->send_notify(this->ike_sa, IKE_AUTH, NO_PROPOSAL_CHOSEN, CHUNK_INITIALIZER);
|
||||
status = DELETE_ME;
|
||||
}
|
||||
|
||||
|
||||
|
@ -454,13 +442,8 @@ static status_t build_auth_payload(private_ike_sa_init_responded_t *this, auth_p
|
|||
|
||||
if (status != SUCCESS)
|
||||
{
|
||||
this->logger->log(this->logger, ERROR, "Verification of AUTH payload returned status %s",mapping_find(status_m,status));
|
||||
authenticator->destroy(authenticator);
|
||||
/*
|
||||
* Send notify message of type AUTHENTICATION_FAILED
|
||||
*/
|
||||
this->logger->log(this->logger, CONTROL | LEVEL1, "Send notify message of type AUTHENTICATION_FAILED");
|
||||
this->send_notify_reply (this,AUTHENTICATION_FAILED,CHUNK_INITIALIZER);
|
||||
this->logger->log(this->logger, AUDIT, "IKE_AUTH request verification failed. Deleting IKE_SA");
|
||||
this->ike_sa->send_notify(this->ike_sa, IKE_AUTH, AUTHENTICATION_FAILED, CHUNK_INITIALIZER);
|
||||
return DELETE_ME;
|
||||
}
|
||||
|
||||
|
@ -469,7 +452,7 @@ static status_t build_auth_payload(private_ike_sa_init_responded_t *this, auth_p
|
|||
authenticator->destroy(authenticator);
|
||||
if (status != SUCCESS)
|
||||
{
|
||||
this->logger->log(this->logger, ERROR, "Could not compute AUTH payload.");
|
||||
this->logger->log(this->logger, AUDIT, "Unable to build authentication data for IKE_AUTH reply. Deleting IKE_SA");
|
||||
return DELETE_ME;
|
||||
|
||||
}
|
||||
|
@ -525,44 +508,36 @@ static status_t build_ts_payload(private_ike_sa_init_responded_t *this, bool ts_
|
|||
return status;
|
||||
}
|
||||
|
||||
/**
|
||||
* Implementation of of private_responder_init_t.send_notify_reply.
|
||||
*/
|
||||
static void send_notify_reply (private_ike_sa_init_responded_t *this,notify_message_type_t type, chunk_t data)
|
||||
static status_t process_notify_payload(private_ike_sa_init_responded_t *this, notify_payload_t *notify_payload)
|
||||
{
|
||||
notify_payload_t *payload;
|
||||
message_t *response;
|
||||
packet_t *packet;
|
||||
status_t status;
|
||||
notify_message_type_t notify_message_type = notify_payload->get_notify_message_type(notify_payload);
|
||||
|
||||
this->logger->log(this->logger, CONTROL|LEVEL2, "Going to build message with notify payload");
|
||||
/* set up the reply */
|
||||
this->ike_sa->build_message(this->ike_sa, IKE_AUTH, FALSE, &response);
|
||||
payload = notify_payload_create_from_protocol_and_type(IKE,type);
|
||||
if ((data.ptr != NULL) && (data.len > 0))
|
||||
this->logger->log(this->logger, CONTROL|LEVEL1, "Process notify type %s for protocol %s",
|
||||
mapping_find(notify_message_type_m, notify_message_type),
|
||||
mapping_find(protocol_id_m, notify_payload->get_protocol_id(notify_payload)));
|
||||
|
||||
if (notify_payload->get_protocol_id(notify_payload) != IKE)
|
||||
{
|
||||
this->logger->log(this->logger, CONTROL|LEVEL2, "Add Data to notify payload");
|
||||
payload->set_notification_data(payload,data);
|
||||
this->logger->log(this->logger, AUDIT, "IKE_AUTH request contained a notify for an invalid protocol.");
|
||||
return DELETE_ME;
|
||||
}
|
||||
|
||||
this->logger->log(this->logger, CONTROL|LEVEL2, "Add Notify payload to message");
|
||||
response->add_payload(response,(payload_t *) payload);
|
||||
|
||||
/* generate packet */
|
||||
this->logger->log(this->logger, CONTROL|LEVEL2, "Gnerate packet from message");
|
||||
status = response->generate(response, this->ike_sa->get_crypter_responder(this->ike_sa),
|
||||
this->ike_sa->get_signer_responder(this->ike_sa), &packet);
|
||||
if (status != SUCCESS)
|
||||
switch (notify_message_type)
|
||||
{
|
||||
this->logger->log(this->logger, ERROR, "Could not generate packet from message");
|
||||
response->destroy(response);
|
||||
return;
|
||||
case SET_WINDOW_SIZE:
|
||||
/*
|
||||
* TODO Increase window size.
|
||||
*/
|
||||
case INITIAL_CONTACT:
|
||||
/*
|
||||
* TODO Delete existing IKE_SA's with other Identity.
|
||||
*/
|
||||
default:
|
||||
{
|
||||
this->logger->log(this->logger, AUDIT, "IKE_AUTH request contained an unknown notify (%d), ignored.", notify_message_type);
|
||||
}
|
||||
}
|
||||
|
||||
this->logger->log(this->logger, CONTROL|LEVEL2, "Add packet to global send queue");
|
||||
charon->send_queue->add(charon->send_queue, packet);
|
||||
this->logger->log(this->logger, CONTROL|LEVEL2, "Destroy message");
|
||||
response->destroy(response);
|
||||
|
||||
return SUCCESS;
|
||||
}
|
||||
|
||||
/**
|
||||
|
@ -578,15 +553,15 @@ static ike_sa_state_t get_state(private_ike_sa_init_responded_t *this)
|
|||
*/
|
||||
static void destroy(private_ike_sa_init_responded_t *this)
|
||||
{
|
||||
this->logger->log(this->logger, CONTROL | LEVEL1, "Going to destroy ike_sa_init_responded_t state object");
|
||||
this->logger->log(this->logger, CONTROL | LEVEL3, "Going to destroy ike_sa_init_responded_t state object");
|
||||
|
||||
this->logger->log(this->logger, CONTROL | LEVEL2, "Destroy received nonce");
|
||||
this->logger->log(this->logger, CONTROL | LEVEL3, "Destroy received nonce");
|
||||
allocator_free_chunk(&(this->received_nonce));
|
||||
this->logger->log(this->logger, CONTROL | LEVEL2, "Destroy sent nonce");
|
||||
this->logger->log(this->logger, CONTROL | LEVEL3, "Destroy sent nonce");
|
||||
allocator_free_chunk(&(this->sent_nonce));
|
||||
this->logger->log(this->logger, CONTROL | LEVEL2, "Destroy IKE_SA_INIT response octets");
|
||||
this->logger->log(this->logger, CONTROL | LEVEL3, "Destroy IKE_SA_INIT response octets");
|
||||
allocator_free_chunk(&(this->ike_sa_init_response_data));
|
||||
this->logger->log(this->logger, CONTROL | LEVEL2, "Destroy IKE_SA_INIT request octets");
|
||||
this->logger->log(this->logger, CONTROL | LEVEL3, "Destroy IKE_SA_INIT request octets");
|
||||
allocator_free_chunk(&(this->ike_sa_init_request_data));
|
||||
|
||||
allocator_free(this);
|
||||
|
@ -609,7 +584,7 @@ ike_sa_init_responded_t *ike_sa_init_responded_create(protected_ike_sa_t *ike_sa
|
|||
this->build_sa_payload = build_sa_payload;
|
||||
this->build_auth_payload = build_auth_payload;
|
||||
this->build_ts_payload = build_ts_payload;
|
||||
this->send_notify_reply = send_notify_reply;
|
||||
this->process_notify_payload = process_notify_payload;
|
||||
|
||||
/* private data */
|
||||
this->ike_sa = ike_sa;
|
||||
|
|
|
@ -39,6 +39,10 @@ typedef struct ike_sa_init_responded_t ike_sa_init_responded_t;
|
|||
* @b Constructors:
|
||||
* - ike_sa_init_response_data()
|
||||
*
|
||||
* @todo Implement handling of SET_WINDOW_SIZE notify
|
||||
*
|
||||
* @todo Implement handling of INITIAL_CONTACT notify
|
||||
*
|
||||
* @ingroup states
|
||||
*/
|
||||
struct ike_sa_init_responded_t {
|
||||
|
|
Loading…
Reference in New Issue