diff --git a/Source/charon/daemon.h b/Source/charon/daemon.h index 14afdc75d..d97e9b2ef 100644 --- a/Source/charon/daemon.h +++ b/Source/charon/daemon.h @@ -86,7 +86,7 @@ * This is the maximum allowed level for ever context, the definiton * of the context may be less verbose. */ -#define DEFAULT_LOGLEVEL CONTROL | ERROR +#define DEFAULT_LOGLEVEL CONTROL | ERROR | AUDIT typedef struct daemon_t daemon_t; diff --git a/Source/charon/sa/ike_sa.c b/Source/charon/sa/ike_sa.c index 063b1ec4e..d87ebe0c6 100644 --- a/Source/charon/sa/ike_sa.c +++ b/Source/charon/sa/ike_sa.c @@ -844,6 +844,45 @@ static status_t send_response (private_ike_sa_t *this,message_t * message) return SUCCESS; } +/** + * Implementation of of private_responder_init_t.send_notify_reply. + */ +static void send_notify(private_ike_sa_t *this, exchange_type_t exchange_type, notify_message_type_t type, chunk_t data) +{ + notify_payload_t *payload; + message_t *response; + packet_t *packet; + status_t status; + + this->logger->log(this->logger, CONTROL|LEVEL2, "Going to build message with notify payload"); + /* set up the reply */ + this->protected.build_message(&(this->protected), exchange_type, FALSE, &response); + payload = notify_payload_create_from_protocol_and_type(IKE,type); + if ((data.ptr != NULL) && (data.len > 0)) + { + this->logger->log(this->logger, CONTROL|LEVEL2, "Add Data to notify payload"); + payload->set_notification_data(payload,data); + } + + this->logger->log(this->logger, CONTROL|LEVEL2, "Add Notify payload to message"); + response->add_payload(response,(payload_t *) payload); + + /* generate packet */ + this->logger->log(this->logger, CONTROL|LEVEL2, "Gnerate packet from message"); + status = response->generate(response, this->crypter_responder, this->signer_responder, &packet); + if (status != SUCCESS) + { + this->logger->log(this->logger, ERROR|LEVEL1, "Could not generate notify message"); + response->destroy(response); + return; + } + + this->logger->log(this->logger, CONTROL|LEVEL2, "Add packet to global send queue"); + charon->send_queue->add(charon->send_queue, packet); + this->logger->log(this->logger, CONTROL|LEVEL2, "Destroy message"); + response->destroy(response); +} + /** * Implementation of protected_ike_sa_t.set_last_replied_message_id. */ @@ -1050,6 +1089,7 @@ ike_sa_t * ike_sa_create(ike_sa_id_t *ike_sa_id) this->protected.get_randomizer = (randomizer_t *(*) (protected_ike_sa_t *)) get_randomizer; this->protected.send_request = (status_t (*) (protected_ike_sa_t *,message_t *)) send_request; this->protected.send_response = (status_t (*) (protected_ike_sa_t *,message_t *)) send_response; + this->protected.send_notify = (void (*)(protected_ike_sa_t*,exchange_type_t,notify_message_type_t,chunk_t)) send_notify; this->protected.create_transforms_from_proposal = (status_t (*) (protected_ike_sa_t *,ike_proposal_t *)) create_transforms_from_proposal; this->protected.set_new_state = (void (*) (protected_ike_sa_t *,state_t *)) set_new_state; this->protected.get_crypter_initiator = (crypter_t *(*) (protected_ike_sa_t *)) get_crypter_initiator; diff --git a/Source/charon/sa/ike_sa.h b/Source/charon/sa/ike_sa.h index 3c5d0faf4..92da57cfd 100644 --- a/Source/charon/sa/ike_sa.h +++ b/Source/charon/sa/ike_sa.h @@ -288,6 +288,16 @@ struct protected_ike_sa_t { * - FAILED if message id is not next expected one */ status_t (*send_response) (protected_ike_sa_t *this,message_t * message); + + /** + * @brief Send a notify reply message. + * + * @param this calling object + * @param exchange_type type of exchange in which the notify should be wrapped + * @param type type of the notify message to send + * @param data notification data + */ + void (*send_notify) (protected_ike_sa_t *this, exchange_type_t exchange_type, notify_message_type_t type, chunk_t data); /** * @brief Get the internal stored randomizer_t object. diff --git a/Source/charon/sa/states/ike_auth_requested.c b/Source/charon/sa/states/ike_auth_requested.c index 8b799d674..208898593 100644 --- a/Source/charon/sa/states/ike_auth_requested.c +++ b/Source/charon/sa/states/ike_auth_requested.c @@ -123,7 +123,18 @@ struct private_ike_auth_requested_t { * - DELETE_ME */ status_t (*process_ts_payload) (private_ike_auth_requested_t *this, bool ts_initiator, ts_payload_t *ts_payload); - + + /** + * Process a notify payload + * + * @param this calling object + * @param ts_initiator TRUE if TS payload is TSi, FALSE for TSr + * @param ts_payload TS payload of responder + * + * - SUCCESS + * - DELETE_ME + */ + status_t (*process_notify_payload) (private_ike_auth_requested_t *this, notify_payload_t *notify_payload); }; @@ -132,14 +143,15 @@ struct private_ike_auth_requested_t { */ static status_t process_message(private_ike_auth_requested_t *this, message_t *ike_auth_reply) { - ts_payload_t *tsi_payload, *tsr_payload; + ts_payload_t *tsi_payload = NULL, *tsr_payload = NULL; id_payload_t *idr_payload = NULL; - auth_payload_t *auth_payload; - sa_payload_t *sa_payload; - iterator_t *payloads; - crypter_t *crypter; - signer_t *signer; + auth_payload_t *auth_payload = NULL; + sa_payload_t *sa_payload = NULL; + iterator_t *payloads = NULL; + crypter_t *crypter = NULL; + signer_t *signer = NULL; status_t status; + host_t *my_host, *other_host; if (ike_auth_reply->get_exchange_type(ike_auth_reply) != IKE_AUTH) { @@ -150,7 +162,7 @@ static status_t process_message(private_ike_auth_requested_t *this, message_t *i if (ike_auth_reply->get_request(ike_auth_reply)) { - this->logger->log(this->logger, ERROR | LEVEL1, "Only responses of type IKE_AUTH supported in state ike_auth_requested"); + this->logger->log(this->logger, ERROR | LEVEL1, "IKE_AUTH requests not allowed state ike_sa_init_responded"); return FAILED; } @@ -162,13 +174,15 @@ static status_t process_message(private_ike_auth_requested_t *this, message_t *i status = ike_auth_reply->parse_body(ike_auth_reply, crypter, signer); if (status != SUCCESS) { - this->logger->log(this->logger, ERROR | LEVEL1, "Could not parse body of request message"); + this->logger->log(this->logger, AUDIT, "IKE_AUTH reply decryption faild. Ignoring message"); return status; } this->sa_config = this->ike_sa->get_sa_config(this->ike_sa); - /* iterate over incoming payloads. Message is verified, we can be sure there are the required payloads */ + /* we collect all payloads, which are processed later. Notify's are processed + * in place, since we don't know how may are there. + */ payloads = ike_auth_reply->get_payload_iterator(ike_auth_reply); while (payloads->has_next(payloads)) { @@ -192,11 +206,6 @@ static status_t process_message(private_ike_auth_requested_t *this, message_t *i sa_payload = (sa_payload_t*)payload; break; } - case CERTIFICATE: - { - /* TODO handle cert payloads */ - break; - } case TRAFFIC_SELECTOR_INITIATOR: { tsi_payload = (ts_payload_t*)payload; @@ -210,116 +219,73 @@ static status_t process_message(private_ike_auth_requested_t *this, message_t *i case NOTIFY: { notify_payload_t *notify_payload = (notify_payload_t *) payload; - - - this->logger->log(this->logger, CONTROL|LEVEL1, "Process notify type %s for protocol %s", - mapping_find(notify_message_type_m, notify_payload->get_notify_message_type(notify_payload)), - mapping_find(protocol_id_m, notify_payload->get_protocol_id(notify_payload))); - - if (notify_payload->get_protocol_id(notify_payload) != IKE) + /* handle the notify directly, abort if no further processing required */ + status = this->process_notify_payload(this, notify_payload); + if (status != SUCCESS) { - this->logger->log(this->logger, ERROR | LEVEL1, "Notify reply not for IKE protocol"); payloads->destroy(payloads); - return DELETE_ME; - } - - switch (notify_payload->get_notify_message_type(notify_payload)) - { - case INVALID_SYNTAX: - { - this->logger->log(this->logger, ERROR, "Going to destroy IKE_SA"); - payloads->destroy(payloads); - return DELETE_ME; - - } - case AUTHENTICATION_FAILED: - { - this->logger->log(this->logger, ERROR, "Keys invalid?. Going to destroy IKE_SA"); - payloads->destroy(payloads); - return DELETE_ME; - - } - case SINGLE_PAIR_REQUIRED: - { - this->logger->log(this->logger, ERROR, "Please reconfigure CHILD_SA. Going to destroy IKE_SA"); - payloads->destroy(payloads); - return DELETE_ME; - } - default: - { - /* - * - In case of unknown error: IKE_SA gets destroyed. - * - In case of unknown status: logging - * - */ - notify_message_type_t notify_message_type = notify_payload->get_notify_message_type(notify_payload); - if (notify_message_type < 16383) - { - this->logger->log(this->logger, ERROR, "Notify error type %d not recognized in state IKE_AUTH_REQUESTED.", - notify_message_type); - payloads->destroy(payloads); - return DELETE_ME; - - } - else - { - this->logger->log(this->logger, ERROR, "Notify status type %d not handled in state IKE_AUTH_REQUESTED.", - notify_message_type); - break; - } - } + return status; } } + case CERTIFICATE: + { + /* TODO handle cert payloads */ + } default: { - this->logger->log(this->logger, ERROR, "Payload id %d not handled in state IKE_AUTH_REQUESTED", payload->get_type(payload)); + this->logger->log(this->logger, ERROR|LEVEL1, "Ignoring Payload %s (%d)", + mapping_find(payload_type_m, payload->get_type(payload)), payload->get_type(payload)); break; } } } /* iterator can be destroyed */ payloads->destroy(payloads); + + /* check if we have all payloads */ + if (!(idr_payload && sa_payload && auth_payload && tsi_payload && tsr_payload)) + { + this->logger->log(this->logger, AUDIT, "IKE_AUTH reply did not contain all required payloads. Deleting IKE_SA"); + return DELETE_ME; + } /* process all payloads */ status = this->process_idr_payload(this, idr_payload); if (status != SUCCESS) { - this->logger->log(this->logger, ERROR, "Processing idr payload failed"); return status; } status = this->process_sa_payload(this, sa_payload); if (status != SUCCESS) { - this->logger->log(this->logger, ERROR, "Processing sa payload failed"); return status; } status = this->process_auth_payload(this, auth_payload,idr_payload); if (status != SUCCESS) { - this->logger->log(this->logger, ERROR, "Processing auth payload failed"); return status; } status = this->process_ts_payload(this, TRUE, tsi_payload); if (status != SUCCESS) { - this->logger->log(this->logger, ERROR, "Processing tsi payload failed"); return status; } status = this->process_ts_payload(this, FALSE, tsr_payload); if (status != SUCCESS) { - this->logger->log(this->logger, ERROR, "Processing tsr payload failed"); return status; } this->ike_sa->set_last_replied_message_id(this->ike_sa,ike_auth_reply->get_message_id(ike_auth_reply)); - this->logger->log(this->logger, CONTROL | LEVEL1, "IKE_AUTH response successfully handled. IKE_SA established."); - /* create new state */ this->ike_sa->set_new_state(this->ike_sa, (state_t*)ike_sa_established_create(this->ike_sa)); this->ike_sa->create_delete_established_ike_sa_job(this->ike_sa,this->sa_config->get_ike_sa_lifetime(this->sa_config)); - this->public.state_interface.destroy(&(this->public.state_interface)); + + my_host = this->ike_sa->get_my_host(this->ike_sa); + other_host = this->ike_sa->get_other_host(this->ike_sa); + this->logger->log(this->logger, AUDIT, "IKE_SA established between %s - %s", + my_host->get_address(my_host), other_host->get_address(other_host)); return SUCCESS; } @@ -335,20 +301,20 @@ static status_t process_idr_payload(private_ike_auth_requested_t *this, id_paylo configured_other_id = this->sa_config->get_other_id(this->sa_config); if (configured_other_id) { - this->logger->log(this->logger, CONTROL, "configured ID: %s, ID of responder: %s", + this->logger->log(this->logger, CONTROL|LEVEL1, "configured ID: %s, ID of responder: %s", configured_other_id->get_string(configured_other_id), other_id->get_string(other_id)); if (!other_id->equals(other_id, configured_other_id)) { other_id->destroy(other_id); - this->logger->log(this->logger, ERROR, "IKE_AUTH reply didn't contain requested id"); + this->logger->log(this->logger, AUDIT, "IKE_AUTH reply contained a not requested ID. Deleting IKE_SA"); return DELETE_ME; } } other_id->destroy(other_id); - /* TODO do we have to store other_id somewhere ? */ + /* TODO do we have to store other_id somewhere ? */ return SUCCESS; } @@ -369,20 +335,21 @@ static status_t process_sa_payload(private_ike_auth_requested_t *this, sa_payloa status = sa_payload->get_child_proposals(sa_payload, &proposals, &proposal_count); if (status != SUCCESS) { - this->logger->log(this->logger, ERROR, "responders sa payload contained no proposals"); - return DELETE_ME; + /* there are no proposals. This is possible if the requester doesn't want to setup a child sa */ + this->logger->log(this->logger, CONTROL, "Responders SA_PAYLOAD contained no proposals, no CHILD_SA is built"); + return SUCCESS; } if (proposal_count > 1) { + this->logger->log(this->logger, AUDIT, "IKE_AUTH reply's SA_PAYLOAD contained more than one proposal. Deleting IKE_SA"); allocator_free(proposals); - this->logger->log(this->logger, ERROR, "responders sa payload contained more than one proposal"); return DELETE_ME; } proposal_chosen = this->sa_config->select_proposal(this->sa_config, ah_spi, esp_spi, proposals, proposal_count); if (proposal_chosen == NULL) { - this->logger->log(this->logger, ERROR, "responder selected an not offered proposal"); + this->logger->log(this->logger, AUDIT, "IKE_AUTH reply contained a not offered proposal. Deleting IKE_SA"); allocator_free(proposals); return DELETE_ME; } @@ -404,18 +371,16 @@ static status_t process_auth_payload(private_ike_auth_requested_t *this, auth_pa authenticator_t *authenticator; status_t status; - /* TODO VERIFY auth here */ authenticator = authenticator_create(this->ike_sa); - status = authenticator->verify_auth_data(authenticator,auth_payload,this->ike_sa_init_reply_data,this->sent_nonce,other_id_payload,FALSE); authenticator->destroy(authenticator); if (status != SUCCESS) { - this->logger->log(this->logger, ERROR, "Could not verify AUTH data. Error status: %s",mapping_find(status_m,status)); + this->logger->log(this->logger, AUDIT, "Verification of IKE_AUTH reply failed. Deleting IKE_SA"); return DELETE_ME; } - this->logger->log(this->logger, CONTROL | LEVEL1, "AUTH data verified"); + this->logger->log(this->logger, CONTROL|LEVEL1, "AUTH data verified successfully"); return SUCCESS; } @@ -442,7 +407,7 @@ static status_t process_ts_payload(private_ike_auth_requested_t *this, bool ts_i /* check if the responder selected valid proposals */ if (ts_selected_count != ts_received_count) { - this->logger->log(this->logger, ERROR, "responder selected invalid traffic selectors"); + this->logger->log(this->logger, AUDIT, "IKE_AUTH reply contained not offered traffic selectors. Deleting IKE_SA"); status = DELETE_ME; } @@ -461,6 +426,66 @@ static status_t process_ts_payload(private_ike_auth_requested_t *this, bool ts_i allocator_free(ts_selected); return status; } + +/** + * Implements private_ike_auth_requested_t.process_notify_payload + */ +static status_t process_notify_payload(private_ike_auth_requested_t *this, notify_payload_t *notify_payload) +{ + notify_message_type_t notify_message_type = notify_payload->get_notify_message_type(notify_payload); + + this->logger->log(this->logger, CONTROL|LEVEL1, "Process notify type %s for protocol %s", + mapping_find(notify_message_type_m, notify_message_type), + mapping_find(protocol_id_m, notify_payload->get_protocol_id(notify_payload))); + + if (notify_payload->get_protocol_id(notify_payload) != IKE) + { + this->logger->log(this->logger, AUDIT, "IKE_AUTH reply contained a notify for an invalid protocol. Deleting IKE_SA"); + return DELETE_ME; + } + + switch (notify_message_type) + { + case INVALID_SYNTAX: + { + this->logger->log(this->logger, AUDIT, "IKE_AUTH reply contained an INVALID_SYNTAX notify. Deleting IKE_SA"); + return DELETE_ME; + + } + case AUTHENTICATION_FAILED: + { + this->logger->log(this->logger, AUDIT, "IKE_AUTH reply contained an AUTHENTICATION_FAILED notify. Deleting IKE_SA"); + return DELETE_ME; + + } + case SINGLE_PAIR_REQUIRED: + { + this->logger->log(this->logger, AUDIT, "IKE_AUTH reply contained a SINGLE_PAIR_REQUIRED notify. Deleting IKE_SA"); + return DELETE_ME; + } + default: + { + /* + * - In case of unknown error: IKE_SA gets destroyed. + * - In case of unknown status: logging + */ + + if (notify_message_type < 16383) + { + this->logger->log(this->logger, AUDIT, "IKE_AUTH reply contained an unknown notify error (%d). Deleting IKE_SA", + notify_message_type); + return DELETE_ME; + + } + else + { + this->logger->log(this->logger, AUDIT, "IKE_AUTH reply contained an unknown notify (%d), ignored.", notify_message_type); + return SUCCESS; + } + } + } +} + /** * Implements state_t.get_state */ @@ -498,6 +523,7 @@ ike_auth_requested_t *ike_auth_requested_create(protected_ike_sa_t *ike_sa,chunk this->process_sa_payload = process_sa_payload; this->process_auth_payload = process_auth_payload; this->process_ts_payload = process_ts_payload; + this->process_notify_payload = process_notify_payload; /* private data */ this->ike_sa = ike_sa; diff --git a/Source/charon/sa/states/ike_auth_requested.h b/Source/charon/sa/states/ike_auth_requested.h index 677b19d07..34b948856 100644 --- a/Source/charon/sa/states/ike_auth_requested.h +++ b/Source/charon/sa/states/ike_auth_requested.h @@ -39,6 +39,10 @@ typedef struct ike_auth_requested_t ike_auth_requested_t; * @ Constructors: * - ike_auth_requested_create() * + * @todo handle certificate payloads + * + * @todo setup child SAs, if requested + * * @ingroup states */ struct ike_auth_requested_t { @@ -55,7 +59,7 @@ struct ike_auth_requested_t { * @param ike_sa assigned ike_sa object * @param sent_nonce Sent nonce value in IKE_SA_INIT request * @param received_nonce Received nonce value in IKE_SA_INIT response - * @param ike_sa_init_reply_data binary representation of IKE_SA_INIT reply + * @param ike_sa_init_reply_data binary representation of IKE_SA_INIT reply * @return created ike_auth_requested_t object * * @ingroup states diff --git a/Source/charon/sa/states/ike_sa_established.h b/Source/charon/sa/states/ike_sa_established.h index 6afc495cb..8477ad5bc 100644 --- a/Source/charon/sa/states/ike_sa_established.h +++ b/Source/charon/sa/states/ike_sa_established.h @@ -32,6 +32,15 @@ typedef struct ike_sa_established_t ike_sa_established_t; * @brief This class represents an the state of an established * IKE_SA. * + * @b Constructors: + * - ike_sa_established_create() + * + * @todo Implement handling of CREATE_CHILD_SA requests + * + * @todo Implement initialization of CREATE_CHILD_SA requests + * + * @todo Implement handling of any other message + * * @ingroup states */ struct ike_sa_established_t { @@ -43,7 +52,7 @@ struct ike_sa_established_t { }; /** - * Constructor of class ike_sa_established_t + * @brief Constructor of class ike_sa_established_t * * @param ike_sa assigned ike_sa * @return created ike_sa_established_t object diff --git a/Source/charon/sa/states/ike_sa_init_responded.c b/Source/charon/sa/states/ike_sa_init_responded.c index 8c1ca880d..0e481f78d 100644 --- a/Source/charon/sa/states/ike_sa_init_responded.c +++ b/Source/charon/sa/states/ike_sa_init_responded.c @@ -133,10 +133,12 @@ struct private_ike_sa_init_responded_t { * Sends a IKE_AUTH reply containing a notify payload. * * @param this calling object - * @param type type of notify message - * @param data data of notify message + * @param notify_payload payload to process + * @return + * - DELETE_ME if IKE_SA should be deleted + * - SUCCSS if processed successfull */ - void (*send_notify_reply) (private_ike_sa_init_responded_t *this,notify_message_type_t type, chunk_t data); + status_t (*process_notify_payload) (private_ike_sa_init_responded_t *this, notify_payload_t* notify_payload); }; /** @@ -144,15 +146,16 @@ struct private_ike_sa_init_responded_t { */ static status_t process_message(private_ike_sa_init_responded_t *this, message_t *request) { - id_payload_t *idi_request, *idr_request = NULL,*idr_response; - ts_payload_t *tsi_request, *tsr_request; - auth_payload_t *auth_request; - sa_payload_t *sa_request; + id_payload_t *idi_request = NULL, *idr_request = NULL,*idr_response; + ts_payload_t *tsi_request = NULL, *tsr_request = NULL; + auth_payload_t *auth_request = NULL; + sa_payload_t *sa_request = NULL; iterator_t *payloads; message_t *response; crypter_t *crypter; signer_t *signer; status_t status; + host_t *my_host, *other_host; if (request->get_exchange_type(request) != IKE_AUTH) @@ -164,7 +167,7 @@ static status_t process_message(private_ike_sa_init_responded_t *this, message_t if (!request->get_request(request)) { - this->logger->log(this->logger, ERROR | LEVEL1, "Only requests of type IKE_AUTH supported in state ike_sa_init_responded"); + this->logger->log(this->logger, ERROR | LEVEL1, "IKE_AUTH responses not allowed state ike_sa_init_responded"); return FAILED; } @@ -177,16 +180,14 @@ static status_t process_message(private_ike_sa_init_responded_t *this, message_t { if (status == NOT_SUPPORTED) { - this->logger->log(this->logger, ERROR | LEVEL1, "Message contains unsupported payload with critical flag set"); - /** - * TODO send unsupported type. - */ - this->send_notify_reply(this,UNSUPPORTED_CRITICAL_PAYLOAD,CHUNK_INITIALIZER); + this->logger->log(this->logger, ERROR | LEVEL1, "IKE_AUTH request contains unsupported payload with critical flag set." + "Deleting IKE_SA"); + this->ike_sa->send_notify(this->ike_sa, IKE_AUTH, UNSUPPORTED_CRITICAL_PAYLOAD, CHUNK_INITIALIZER); return DELETE_ME; } else { - this->logger->log(this->logger, ERROR | LEVEL1, "Could not parse body of request message"); + this->logger->log(this->logger, AUDIT, "IKE_AUTH request decryption faild. Ignoring message"); } return status; } @@ -220,18 +221,7 @@ static status_t process_message(private_ike_sa_init_responded_t *this, message_t sa_request = (sa_payload_t*)payload; break; } - case CERTIFICATE: - { - /* TODO handle cert payloads */ - this->logger->log(this->logger, ERROR | LEVEL1, "Payload type CERTIFICATE currently not supported and so not handled"); - break; - } - case CERTIFICATE_REQUEST: - { - /* TODO handle certrequest payloads */ - this->logger->log(this->logger, ERROR | LEVEL1, "Payload type CERTIFICATE_REQUEST currently not supported and so not handled"); - break; - } + case TRAFFIC_SELECTOR_INITIATOR: { tsi_request = (ts_payload_t*)payload; @@ -245,45 +235,38 @@ static status_t process_message(private_ike_sa_init_responded_t *this, message_t case NOTIFY: { notify_payload_t *notify_payload = (notify_payload_t *) payload; - - this->logger->log(this->logger, CONTROL|LEVEL1, "Process notify type %s for protocol %s", - mapping_find(notify_message_type_m, notify_payload->get_notify_message_type(notify_payload)), - mapping_find(protocol_id_m, notify_payload->get_protocol_id(notify_payload))); - - if (notify_payload->get_protocol_id(notify_payload) != IKE) + status = this->process_notify_payload(this, notify_payload); + if (status != SUCCESS) { - this->logger->log(this->logger, ERROR | LEVEL1, "Notify not for IKE protocol."); payloads->destroy(payloads); - return DELETE_ME; + return status; } - switch (notify_payload->get_notify_message_type(notify_payload)) - { - case SET_WINDOW_SIZE: - /* - * TODO Increase window size. - */ - case INITIAL_CONTACT: - /* - * TODO Delete existing IKE_SA's with other Identity. - */ - default: - { - this->logger->log(this->logger, CONTROL|LEVEL1, "Handling of notify type %s not implemented", - notify_payload->get_notify_message_type(notify_payload)); - } - } - - break; + } + case CERTIFICATE: + { + /* TODO handle cert payloads */ + } + case CERTIFICATE_REQUEST: + { + /* TODO handle certrequest payloads */ } default: { - this->logger->log(this->logger, ERROR, "Payload ID %d not handled in state IKE_AUTH_RESPONDED!", payload->get_type(payload)); + this->logger->log(this->logger, ERROR|LEVEL1, "Ignoring Payload %s (%d)", + mapping_find(payload_type_m, payload->get_type(payload)), payload->get_type(payload)); break; } } } /* iterator can be destroyed */ payloads->destroy(payloads); + + /* check if we have all payloads */ + if (!(idi_request && sa_request && auth_request && tsi_request && tsr_request)) + { + this->logger->log(this->logger, AUDIT, "IKE_AUTH reply did not contain all required payloads. Deleting IKE_SA"); + return DELETE_ME; + } /* build response */ this->ike_sa->build_message(this->ike_sa, IKE_AUTH, FALSE, &response); @@ -293,46 +276,39 @@ static status_t process_message(private_ike_sa_init_responded_t *this, message_t status = this->build_idr_payload(this, idi_request, idr_request, response,&idr_response); if (status != SUCCESS) { - this->logger->log(this->logger, ERROR, "Building IDr payload failed"); response->destroy(response); return status; } status = this->build_sa_payload(this, sa_request, response); if (status != SUCCESS) { - this->logger->log(this->logger, ERROR, "Building SA payload failed"); response->destroy(response); return status; } status = this->build_auth_payload(this, auth_request,idi_request, idr_response,response); if (status != SUCCESS) { - this->logger->log(this->logger, ERROR, "Building AUTH payload failed"); response->destroy(response); return status; } status = this->build_ts_payload(this, TRUE, tsi_request, response); if (status != SUCCESS) { - this->logger->log(this->logger, ERROR, "Building TSi payload failed"); response->destroy(response); return status; } status = this->build_ts_payload(this, FALSE, tsr_request, response); if (status != SUCCESS) { - this->logger->log(this->logger, ERROR, "Building TSr payload failed"); response->destroy(response); return status; } - this->logger->log(this->logger, CONTROL | LEVEL1, "IKE_AUTH request successfully handled. Sending reply."); status = this->ike_sa->send_response(this->ike_sa, response); - /* message can now be sent (must not be destroyed) */ if (status != SUCCESS) { - this->logger->log(this->logger, ERROR, "Could not send response message"); + this->logger->log(this->logger, AUDIT, "Unable to send IKE_AUTH reply. Deleting IKE_SA"); response->destroy(response); return DELETE_ME; } @@ -340,8 +316,12 @@ static status_t process_message(private_ike_sa_init_responded_t *this, message_t /* create new state */ this->ike_sa->set_new_state(this->ike_sa, (state_t*)ike_sa_established_create(this->ike_sa)); this->ike_sa->create_delete_established_ike_sa_job(this->ike_sa,this->sa_config->get_ike_sa_lifetime(this->sa_config)); - this->public.state_interface.destroy(&(this->public.state_interface)); + + my_host = this->ike_sa->get_my_host(this->ike_sa); + other_host = this->ike_sa->get_other_host(this->ike_sa); + this->logger->log(this->logger, AUDIT, "IKE_SA established between %s - %s", + my_host->get_address(my_host), other_host->get_address(other_host)); return SUCCESS; } @@ -365,20 +345,28 @@ static status_t build_idr_payload(private_ike_sa_init_responded_t *this, id_payl /* build new sa config */ init_config = this->ike_sa->get_init_config(this->ike_sa); status = charon->configuration_manager->get_sa_config_for_init_config_and_id(charon->configuration_manager,init_config, other_id,my_id, &(this->sa_config)); - other_id->destroy(other_id); + if (status != SUCCESS) + { + if (my_id) + { + this->logger->log(this->logger, AUDIT, "IKE_AUTH request uses IDs %s to %s, which we have no config for", + other_id->get_string(other_id),my_id->get_string(my_id)); + my_id->destroy(my_id); + } + else + { + this->logger->log(this->logger, AUDIT, "IKE_AUTH request uses ID %s, which we have no config for", + other_id->get_string(other_id)); + } + other_id->destroy(other_id); + return DELETE_ME; + } + if (my_id) { my_id->destroy(my_id); } - if (status != SUCCESS) - { - this->logger->log(this->logger, ERROR, "Could not find config for %s", other_id->get_string(other_id)); - if (my_id) - { - my_id->destroy(my_id); - } - return DELETE_ME; - } + other_id->destroy(other_id); /* get my id, if not requested */ my_id = this->sa_config->get_my_id(this->sa_config); @@ -419,16 +407,16 @@ static status_t build_sa_payload(private_ike_sa_init_responded_t *this, sa_paylo } else { - this->logger->log(this->logger, ERROR, "no matching proposal found"); - this->send_notify_reply(this,NO_PROPOSAL_CHOSEN,CHUNK_INITIALIZER); + this->logger->log(this->logger, AUDIT, "IKE_AUTH request did not contain any proposals we accept. Deleting IKE_SA"); + this->ike_sa->send_notify(this->ike_sa, IKE_AUTH, NO_PROPOSAL_CHOSEN, CHUNK_INITIALIZER); status = DELETE_ME; } } else { - this->logger->log(this->logger, ERROR, "requestor's sa payload contained no proposals"); - this->send_notify_reply(this,NO_PROPOSAL_CHOSEN,CHUNK_INITIALIZER); - status = DELETE_ME; + this->logger->log(this->logger, AUDIT, "IKE_AUH request did not contain any proposals. Deleting IKE_SA"); + this->ike_sa->send_notify(this->ike_sa, IKE_AUTH, NO_PROPOSAL_CHOSEN, CHUNK_INITIALIZER); + status = DELETE_ME; } @@ -454,13 +442,8 @@ static status_t build_auth_payload(private_ike_sa_init_responded_t *this, auth_p if (status != SUCCESS) { - this->logger->log(this->logger, ERROR, "Verification of AUTH payload returned status %s",mapping_find(status_m,status)); - authenticator->destroy(authenticator); - /* - * Send notify message of type AUTHENTICATION_FAILED - */ - this->logger->log(this->logger, CONTROL | LEVEL1, "Send notify message of type AUTHENTICATION_FAILED"); - this->send_notify_reply (this,AUTHENTICATION_FAILED,CHUNK_INITIALIZER); + this->logger->log(this->logger, AUDIT, "IKE_AUTH request verification failed. Deleting IKE_SA"); + this->ike_sa->send_notify(this->ike_sa, IKE_AUTH, AUTHENTICATION_FAILED, CHUNK_INITIALIZER); return DELETE_ME; } @@ -469,7 +452,7 @@ static status_t build_auth_payload(private_ike_sa_init_responded_t *this, auth_p authenticator->destroy(authenticator); if (status != SUCCESS) { - this->logger->log(this->logger, ERROR, "Could not compute AUTH payload."); + this->logger->log(this->logger, AUDIT, "Unable to build authentication data for IKE_AUTH reply. Deleting IKE_SA"); return DELETE_ME; } @@ -525,44 +508,36 @@ static status_t build_ts_payload(private_ike_sa_init_responded_t *this, bool ts_ return status; } -/** - * Implementation of of private_responder_init_t.send_notify_reply. - */ -static void send_notify_reply (private_ike_sa_init_responded_t *this,notify_message_type_t type, chunk_t data) +static status_t process_notify_payload(private_ike_sa_init_responded_t *this, notify_payload_t *notify_payload) { - notify_payload_t *payload; - message_t *response; - packet_t *packet; - status_t status; + notify_message_type_t notify_message_type = notify_payload->get_notify_message_type(notify_payload); - this->logger->log(this->logger, CONTROL|LEVEL2, "Going to build message with notify payload"); - /* set up the reply */ - this->ike_sa->build_message(this->ike_sa, IKE_AUTH, FALSE, &response); - payload = notify_payload_create_from_protocol_and_type(IKE,type); - if ((data.ptr != NULL) && (data.len > 0)) + this->logger->log(this->logger, CONTROL|LEVEL1, "Process notify type %s for protocol %s", + mapping_find(notify_message_type_m, notify_message_type), + mapping_find(protocol_id_m, notify_payload->get_protocol_id(notify_payload))); + + if (notify_payload->get_protocol_id(notify_payload) != IKE) { - this->logger->log(this->logger, CONTROL|LEVEL2, "Add Data to notify payload"); - payload->set_notification_data(payload,data); + this->logger->log(this->logger, AUDIT, "IKE_AUTH request contained a notify for an invalid protocol."); + return DELETE_ME; } - - this->logger->log(this->logger, CONTROL|LEVEL2, "Add Notify payload to message"); - response->add_payload(response,(payload_t *) payload); - - /* generate packet */ - this->logger->log(this->logger, CONTROL|LEVEL2, "Gnerate packet from message"); - status = response->generate(response, this->ike_sa->get_crypter_responder(this->ike_sa), - this->ike_sa->get_signer_responder(this->ike_sa), &packet); - if (status != SUCCESS) + switch (notify_message_type) { - this->logger->log(this->logger, ERROR, "Could not generate packet from message"); - response->destroy(response); - return; + case SET_WINDOW_SIZE: + /* + * TODO Increase window size. + */ + case INITIAL_CONTACT: + /* + * TODO Delete existing IKE_SA's with other Identity. + */ + default: + { + this->logger->log(this->logger, AUDIT, "IKE_AUTH request contained an unknown notify (%d), ignored.", notify_message_type); + } } - - this->logger->log(this->logger, CONTROL|LEVEL2, "Add packet to global send queue"); - charon->send_queue->add(charon->send_queue, packet); - this->logger->log(this->logger, CONTROL|LEVEL2, "Destroy message"); - response->destroy(response); + + return SUCCESS; } /** @@ -578,15 +553,15 @@ static ike_sa_state_t get_state(private_ike_sa_init_responded_t *this) */ static void destroy(private_ike_sa_init_responded_t *this) { - this->logger->log(this->logger, CONTROL | LEVEL1, "Going to destroy ike_sa_init_responded_t state object"); + this->logger->log(this->logger, CONTROL | LEVEL3, "Going to destroy ike_sa_init_responded_t state object"); - this->logger->log(this->logger, CONTROL | LEVEL2, "Destroy received nonce"); + this->logger->log(this->logger, CONTROL | LEVEL3, "Destroy received nonce"); allocator_free_chunk(&(this->received_nonce)); - this->logger->log(this->logger, CONTROL | LEVEL2, "Destroy sent nonce"); + this->logger->log(this->logger, CONTROL | LEVEL3, "Destroy sent nonce"); allocator_free_chunk(&(this->sent_nonce)); - this->logger->log(this->logger, CONTROL | LEVEL2, "Destroy IKE_SA_INIT response octets"); + this->logger->log(this->logger, CONTROL | LEVEL3, "Destroy IKE_SA_INIT response octets"); allocator_free_chunk(&(this->ike_sa_init_response_data)); - this->logger->log(this->logger, CONTROL | LEVEL2, "Destroy IKE_SA_INIT request octets"); + this->logger->log(this->logger, CONTROL | LEVEL3, "Destroy IKE_SA_INIT request octets"); allocator_free_chunk(&(this->ike_sa_init_request_data)); allocator_free(this); @@ -609,7 +584,7 @@ ike_sa_init_responded_t *ike_sa_init_responded_create(protected_ike_sa_t *ike_sa this->build_sa_payload = build_sa_payload; this->build_auth_payload = build_auth_payload; this->build_ts_payload = build_ts_payload; - this->send_notify_reply = send_notify_reply; + this->process_notify_payload = process_notify_payload; /* private data */ this->ike_sa = ike_sa; diff --git a/Source/charon/sa/states/ike_sa_init_responded.h b/Source/charon/sa/states/ike_sa_init_responded.h index f63bb1183..2ac8d0744 100644 --- a/Source/charon/sa/states/ike_sa_init_responded.h +++ b/Source/charon/sa/states/ike_sa_init_responded.h @@ -39,6 +39,10 @@ typedef struct ike_sa_init_responded_t ike_sa_init_responded_t; * @b Constructors: * - ike_sa_init_response_data() * + * @todo Implement handling of SET_WINDOW_SIZE notify + * + * @todo Implement handling of INITIAL_CONTACT notify + * * @ingroup states */ struct ike_sa_init_responded_t {