/** * @file ike_auth_requested.c * * @brief Implementation of ike_auth_requested_t. * */ /* * Copyright (C) 2005 Jan Hutter, Martin Willi * Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the * Free Software Foundation; either version 2 of the License, or (at your * option) any later version. See . * * This program is distributed in the hope that it will be useful, but * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * for more details. */ #include "ike_auth_requested.h" #include #include #include #include #include #include #include #include #include #include #include #include typedef struct private_ike_auth_requested_t private_ike_auth_requested_t; /** * Private data of a ike_auth_requested_t object. * */ struct private_ike_auth_requested_t { /** * Public interface of ike_auth_requested_t. */ ike_auth_requested_t public; /** * Assigned IKE_SA. */ protected_ike_sa_t *ike_sa; /** * SA config, just a copy of the one stored in the ike_sa. */ policy_t *policy; /** * Received nonce from responder. */ chunk_t received_nonce; /** * Sent nonce in IKE_SA_INIT request. */ chunk_t sent_nonce; /** * IKE_SA_INIT-Request in binary form. */ chunk_t ike_sa_init_reply_data; /** * Proposal to setup CHILD_SA */ proposal_t *proposal; /** * Traffic selectors applicable at our site */ linked_list_t *my_ts; /** * Traffic selectors applicable at remote site */ linked_list_t *other_ts; /** * Child sa created in ike_sa_init_requested */ child_sa_t *child_sa; /** * Assigned Logger. * * Is logger of ike_sa! */ logger_t *logger; /** * Process the IDr payload (check if other id is valid) * * @param this calling object * @param idr_payload ID payload of responder * @return * - SUCCESS * - DELETE_ME */ status_t (*process_idr_payload) (private_ike_auth_requested_t *this, id_payload_t *idr_payload); /** * Process the SA payload (check if selected proposals are valid, setup child sa) * * @param this calling object * @param sa_payload SA payload of responder * * - SUCCESS * - DELETE_ME */ status_t (*process_sa_payload) (private_ike_auth_requested_t *this, sa_payload_t *sa_payload); /** * Process the AUTH payload (check authenticity of message) * * @param this calling object * @param auth_payload AUTH payload of responder * @param other_id_payload ID payload of responder * * - SUCCESS * - DELETE_ME */ status_t (*process_auth_payload) (private_ike_auth_requested_t *this, auth_payload_t *auth_payload, id_payload_t *other_id_payload); /** * Process the TS payload (check if selected traffic selectors are valid) * * @param this calling object * @param ts_initiator TRUE if TS payload is TSi, FALSE for TSr * @param ts_payload TS payload of responder * * - SUCCESS * - DELETE_ME */ status_t (*process_ts_payload) (private_ike_auth_requested_t *this, bool ts_initiator, ts_payload_t *ts_payload); /** * Process a notify payload * * @param this calling object * @param notify_payload notify payload * * - SUCCESS * - FAILED * - DELETE_ME */ status_t (*process_notify_payload) (private_ike_auth_requested_t *this, notify_payload_t *notify_payload); /** * Destroy function called internally of this class after state change to * state IKE_SA_ESTABLISHED succeeded. * * This destroy function does not destroy objects which were passed to the new state. * * @param this calling object */ void (*destroy_after_state_change) (private_ike_auth_requested_t *this); }; /** * Implements state_t.process_message */ static status_t process_message(private_ike_auth_requested_t *this, message_t *ike_auth_reply) { ts_payload_t *tsi_payload = NULL, *tsr_payload = NULL; id_payload_t *idr_payload = NULL; auth_payload_t *auth_payload = NULL; sa_payload_t *sa_payload = NULL; iterator_t *payloads = NULL; crypter_t *crypter = NULL; signer_t *signer = NULL; status_t status; host_t *my_host, *other_host; chunk_t seed; prf_plus_t *prf_plus; connection_t *connection; if (ike_auth_reply->get_exchange_type(ike_auth_reply) != IKE_AUTH) { this->logger->log(this->logger, ERROR | LEVEL1, "Message of type %s not supported in state ike_auth_requested", mapping_find(exchange_type_m,ike_auth_reply->get_exchange_type(ike_auth_reply))); return FAILED; } if (ike_auth_reply->get_request(ike_auth_reply)) { this->logger->log(this->logger, ERROR | LEVEL1, "IKE_AUTH requests not allowed state ike_sa_init_responded"); return FAILED; } /* get signer for verification and crypter for decryption */ signer = this->ike_sa->get_signer_responder(this->ike_sa); crypter = this->ike_sa->get_crypter_responder(this->ike_sa); /* parse incoming message */ status = ike_auth_reply->parse_body(ike_auth_reply, crypter, signer); if (status != SUCCESS) { this->logger->log(this->logger, AUDIT, "IKE_AUTH reply decryption failed. Ignoring message"); return status; } this->policy = this->ike_sa->get_policy(this->ike_sa); /* we collect all payloads, which are processed later. Notify's are processed * in place, since we don't know how may are there. */ payloads = ike_auth_reply->get_payload_iterator(ike_auth_reply); while (payloads->has_next(payloads)) { payload_t *payload; payloads->current(payloads, (void**)&payload); switch (payload->get_type(payload)) { case AUTHENTICATION: { auth_payload = (auth_payload_t*)payload; break; } case ID_RESPONDER: { idr_payload = (id_payload_t*)payload; break; } case SECURITY_ASSOCIATION: { sa_payload = (sa_payload_t*)payload; break; } case TRAFFIC_SELECTOR_INITIATOR: { tsi_payload = (ts_payload_t*)payload; break; } case TRAFFIC_SELECTOR_RESPONDER: { tsr_payload = (ts_payload_t*)payload; break; } case NOTIFY: { notify_payload_t *notify_payload = (notify_payload_t *) payload; /* handle the notify directly, abort if no further processing required */ status = this->process_notify_payload(this, notify_payload); if (status != SUCCESS) { payloads->destroy(payloads); return status; } } case CERTIFICATE: { /* TODO handle cert payloads */ } default: { this->logger->log(this->logger, ERROR|LEVEL1, "Ignoring Payload %s (%d)", mapping_find(payload_type_m, payload->get_type(payload)), payload->get_type(payload)); break; } } } /* iterator can be destroyed */ payloads->destroy(payloads); /* check if we have all payloads */ if (!(idr_payload && sa_payload && auth_payload && tsi_payload && tsr_payload)) { this->logger->log(this->logger, AUDIT, "IKE_AUTH reply did not contain all required payloads. Deleting IKE_SA"); return DELETE_ME; } /* process all payloads */ status = this->process_idr_payload(this, idr_payload); if (status != SUCCESS) { return status; } status = this->process_auth_payload(this, auth_payload,idr_payload); if (status != SUCCESS) { return status; } status = this->process_sa_payload(this, sa_payload); if (status != SUCCESS) { return status; } status = this->process_ts_payload(this, TRUE, tsi_payload); if (status != SUCCESS) { return status; } status = this->process_ts_payload(this, FALSE, tsr_payload); if (status != SUCCESS) { return status; } /* install child SAs for AH and esp */ if (!this->child_sa) { this->logger->log(this->logger, CONTROL, "No CHILD_SA requested, no CHILD_SA built"); } if (!this->proposal) { this->logger->log(this->logger, CONTROL, "Proposal negotiation failed, no CHILD_SA built"); this->child_sa->destroy(this->child_sa); this->child_sa = NULL; } else if (this->my_ts->get_count(this->my_ts) == 0 || this->other_ts->get_count(this->other_ts) == 0) { this->logger->log(this->logger, CONTROL, "Traffic selector negotiation failed, no CHILD_SA built"); this->child_sa->destroy(this->child_sa); this->child_sa = NULL; } else { seed = allocator_alloc_as_chunk(this->sent_nonce.len + this->received_nonce.len); memcpy(seed.ptr, this->sent_nonce.ptr, this->sent_nonce.len); memcpy(seed.ptr + this->sent_nonce.len, this->received_nonce.ptr, this->received_nonce.len); prf_plus = prf_plus_create(this->ike_sa->get_child_prf(this->ike_sa), seed); allocator_free_chunk(&seed); status = this->child_sa->update(this->child_sa, this->proposal, prf_plus); prf_plus->destroy(prf_plus); if (status != SUCCESS) { this->logger->log(this->logger, AUDIT, "Could not install CHILD_SA! Deleting IKE_SA"); return DELETE_ME; } status = this->child_sa->add_policies(this->child_sa, this->my_ts, this->other_ts); if (status != SUCCESS) { this->logger->log(this->logger, AUDIT, "Could not install CHILD_SA policy! Deleting IKE_SA"); return DELETE_ME; } this->ike_sa->add_child_sa(this->ike_sa, this->child_sa); } this->ike_sa->set_last_replied_message_id(this->ike_sa,ike_auth_reply->get_message_id(ike_auth_reply)); /* create new state */ this->ike_sa->set_new_state(this->ike_sa, (state_t*)ike_sa_established_create(this->ike_sa)); this->destroy_after_state_change(this); connection = this->ike_sa->get_connection(this->ike_sa); my_host = connection->get_my_host(connection); other_host = connection->get_other_host(connection); this->logger->log(this->logger, AUDIT, "IKE_SA established between %s - %s", my_host->get_address(my_host), other_host->get_address(other_host)); return SUCCESS; } /** * Implements private_ike_auth_requested_t.process_idr_payload */ static status_t process_idr_payload(private_ike_auth_requested_t *this, id_payload_t *idr_payload) { identification_t *other_id, *configured_other_id; other_id = idr_payload->get_identification(idr_payload); configured_other_id = this->policy->get_other_id(this->policy); if (configured_other_id) { this->logger->log(this->logger, CONTROL|LEVEL1, "configured ID: %s, ID of responder: %s", configured_other_id->get_string(configured_other_id), other_id->get_string(other_id)); if (!other_id->equals(other_id, configured_other_id)) { other_id->destroy(other_id); this->logger->log(this->logger, AUDIT, "IKE_AUTH reply contained a not requested ID. Deleting IKE_SA"); return DELETE_ME; } } other_id->destroy(other_id); /* TODO do we have to store other_id somewhere ? */ return SUCCESS; } /** * Implements private_ike_auth_requested_t.process_sa_payload */ static status_t process_sa_payload(private_ike_auth_requested_t *this, sa_payload_t *sa_payload) { proposal_t *proposal, *proposal_tmp; linked_list_t *proposal_list; /* get his selected proposal */ proposal_list = sa_payload->get_proposals(sa_payload); /* check count of proposals */ if (proposal_list->get_count(proposal_list) == 0) { /* no proposal? we accept this, but no child sa is built */ this->logger->log(this->logger, AUDIT, "IKE_AUTH reply's SA_PAYLOAD didn't contain any proposals. No CHILD_SA created", proposal_list->get_count(proposal_list)); proposal_list->destroy(proposal_list); return SUCCESS; } if (proposal_list->get_count(proposal_list) > 1) { this->logger->log(this->logger, AUDIT, "IKE_AUTH reply's SA_PAYLOAD contained %d proposal. Deleting IKE_SA", proposal_list->get_count(proposal_list)); while (proposal_list->remove_last(proposal_list, (void**)&proposal) == SUCCESS) { proposal->destroy(proposal); } proposal_list->destroy(proposal_list); return DELETE_ME; } /* we have to re-check here if other's selection is valid */ proposal = this->policy->select_proposal(this->policy, proposal_list); /* list not needed anymore */ while (proposal_list->remove_last(proposal_list, (void**)&proposal_tmp) == SUCCESS) { proposal_tmp->destroy(proposal_tmp); } proposal_list->destroy(proposal_list); /* got a match? */ if (proposal == NULL) { this->logger->log(this->logger, AUDIT, "IKE_AUTH reply contained a not offered proposal. Deleting IKE_SA"); return DELETE_ME; } /* apply proposal */ this->proposal = proposal; return SUCCESS; } /** * Implements private_ike_auth_requested_t.process_auth_payload */ static status_t process_auth_payload(private_ike_auth_requested_t *this, auth_payload_t *auth_payload, id_payload_t *other_id_payload) { authenticator_t *authenticator; status_t status; authenticator = authenticator_create(this->ike_sa); status = authenticator->verify_auth_data(authenticator,auth_payload,this->ike_sa_init_reply_data,this->sent_nonce,other_id_payload,FALSE); authenticator->destroy(authenticator); if (status != SUCCESS) { this->logger->log(this->logger, AUDIT, "Verification of IKE_AUTH reply failed. Deleting IKE_SA"); return DELETE_ME; } this->logger->log(this->logger, CONTROL|LEVEL1, "AUTH data verified successfully"); return SUCCESS; } /** * Implements private_ike_auth_requested_t.process_ts_payload */ static status_t process_ts_payload(private_ike_auth_requested_t *this, bool ts_initiator, ts_payload_t *ts_payload) { linked_list_t *ts_received, *ts_selected; traffic_selector_t *ts; /* get ts form payload */ ts_received = ts_payload->get_traffic_selectors(ts_payload); /* select ts depending on payload type */ if (ts_initiator) { ts_selected = this->policy->select_my_traffic_selectors(this->policy, ts_received); this->my_ts = ts_selected; } else { ts_selected = this->policy->select_other_traffic_selectors(this->policy, ts_received); this->other_ts = ts_selected; } /* check if the responder selected valid proposals */ if (ts_selected->get_count(ts_selected) != ts_received->get_count(ts_received)) { this->logger->log(this->logger, AUDIT, "IKE_AUTH reply contained not offered traffic selectors."); } /* cleanup */ while (ts_received->remove_last(ts_received, (void**)&ts) == SUCCESS) { ts->destroy(ts); } ts_received->destroy(ts_received); return SUCCESS; } /** * Implements private_ike_auth_requested_t.process_notify_payload */ static status_t process_notify_payload(private_ike_auth_requested_t *this, notify_payload_t *notify_payload) { notify_message_type_t notify_message_type = notify_payload->get_notify_message_type(notify_payload); this->logger->log(this->logger, CONTROL|LEVEL1, "Process notify type %s", mapping_find(notify_message_type_m, notify_message_type)); switch (notify_message_type) { case INVALID_SYNTAX: { this->logger->log(this->logger, AUDIT, "IKE_AUTH reply contained an INVALID_SYNTAX notify. Deleting IKE_SA"); return DELETE_ME; } case AUTHENTICATION_FAILED: { this->logger->log(this->logger, AUDIT, "IKE_AUTH reply contained an AUTHENTICATION_FAILED notify. Deleting IKE_SA"); return DELETE_ME; } case SINGLE_PAIR_REQUIRED: { this->logger->log(this->logger, AUDIT, "IKE_AUTH reply contained a SINGLE_PAIR_REQUIRED notify. Deleting IKE_SA"); return DELETE_ME; } default: { /* * - In case of unknown error: IKE_SA gets destroyed. * - In case of unknown status: logging */ if (notify_message_type < 16383) { this->logger->log(this->logger, AUDIT, "IKE_AUTH reply contained an unknown notify error (%d). Deleting IKE_SA", notify_message_type); return DELETE_ME; } else { this->logger->log(this->logger, CONTROL, "IKE_AUTH reply contained an unknown notify (%d), ignored.", notify_message_type); return SUCCESS; } } } } /** * Implements state_t.get_state */ static ike_sa_state_t get_state(private_ike_auth_requested_t *this) { return IKE_AUTH_REQUESTED; } /** * Implements state_t.get_state */ static void destroy(private_ike_auth_requested_t *this) { allocator_free_chunk(&(this->received_nonce)); allocator_free_chunk(&(this->sent_nonce)); allocator_free_chunk(&(this->ike_sa_init_reply_data)); if (this->child_sa) { this->child_sa->destroy(this->child_sa); } if (this->my_ts) { traffic_selector_t *ts; while (this->my_ts->remove_last(this->my_ts, (void**)&ts) == SUCCESS) { ts->destroy(ts); } this->my_ts->destroy(this->my_ts); } if (this->other_ts) { traffic_selector_t *ts; while (this->other_ts->remove_last(this->other_ts, (void**)&ts) == SUCCESS) { ts->destroy(ts); } this->other_ts->destroy(this->other_ts); } if (this->proposal) { this->proposal->destroy(this->proposal); } allocator_free(this); } /** * Implements protected_ike_sa_t.destroy_after_state_change */ static void destroy_after_state_change(private_ike_auth_requested_t *this) { allocator_free_chunk(&(this->received_nonce)); allocator_free_chunk(&(this->sent_nonce)); allocator_free_chunk(&(this->ike_sa_init_reply_data)); if (this->my_ts) { traffic_selector_t *ts; while (this->my_ts->remove_last(this->my_ts, (void**)&ts) == SUCCESS) { ts->destroy(ts); } this->my_ts->destroy(this->my_ts); } if (this->other_ts) { traffic_selector_t *ts; while (this->other_ts->remove_last(this->other_ts, (void**)&ts) == SUCCESS) { ts->destroy(ts); } this->other_ts->destroy(this->other_ts); } if (this->proposal) { this->proposal->destroy(this->proposal); } allocator_free(this); } /* * Described in header. */ ike_auth_requested_t *ike_auth_requested_create(protected_ike_sa_t *ike_sa,chunk_t sent_nonce,chunk_t received_nonce,chunk_t ike_sa_init_reply_data, child_sa_t *child_sa) { private_ike_auth_requested_t *this = allocator_alloc_thing(private_ike_auth_requested_t); /* interface functions */ this->public.state_interface.process_message = (status_t (*) (state_t *,message_t *)) process_message; this->public.state_interface.get_state = (ike_sa_state_t (*) (state_t *)) get_state; this->public.state_interface.destroy = (void (*) (state_t *)) destroy; /* private functions */ this->process_idr_payload = process_idr_payload; this->process_sa_payload = process_sa_payload; this->process_auth_payload = process_auth_payload; this->process_ts_payload = process_ts_payload; this->process_notify_payload = process_notify_payload; this->destroy_after_state_change = destroy_after_state_change; /* private data */ this->ike_sa = ike_sa; this->received_nonce = received_nonce; this->sent_nonce = sent_nonce; this->ike_sa_init_reply_data = ike_sa_init_reply_data; this->logger = charon->logger_manager->get_logger(charon->logger_manager, IKE_SA); this->my_ts = NULL; this->other_ts = NULL; this->proposal = NULL; this->child_sa = child_sa; return &(this->public); }