]>
Commit | Line | Data |
---|---|---|
c7dd2a7b MW |
1 | /** |
2 | * @file ike_auth_requested.c | |
3 | * | |
df3c59d0 | 4 | * @brief Implementation of ike_auth_requested_t. |
c7dd2a7b MW |
5 | * |
6 | */ | |
7 | ||
8 | /* | |
9 | * Copyright (C) 2005 Jan Hutter, Martin Willi | |
10 | * Hochschule fuer Technik Rapperswil | |
11 | * | |
12 | * This program is free software; you can redistribute it and/or modify it | |
13 | * under the terms of the GNU General Public License as published by the | |
14 | * Free Software Foundation; either version 2 of the License, or (at your | |
15 | * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. | |
16 | * | |
17 | * This program is distributed in the hope that it will be useful, but | |
18 | * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY | |
19 | * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License | |
20 | * for more details. | |
21 | */ | |
5113680f MW |
22 | |
23 | #include <string.h> | |
24 | ||
c7dd2a7b MW |
25 | #include "ike_auth_requested.h" |
26 | ||
ccf783d2 | 27 | #include <daemon.h> |
ccf783d2 MW |
28 | #include <encoding/payloads/ts_payload.h> |
29 | #include <encoding/payloads/sa_payload.h> | |
30 | #include <encoding/payloads/id_payload.h> | |
31 | #include <encoding/payloads/auth_payload.h> | |
94b0f906 | 32 | #include <encoding/payloads/notify_payload.h> |
68621281 MW |
33 | #include <crypto/signers/signer.h> |
34 | #include <crypto/crypters/crypter.h> | |
ccf783d2 | 35 | #include <sa/states/ike_sa_established.h> |
0fdc3c7f | 36 | #include <sa/authenticator.h> |
aeda79ff | 37 | #include <sa/child_sa.h> |
5796aa16 MW |
38 | |
39 | typedef struct private_ike_auth_requested_t private_ike_auth_requested_t; | |
40 | ||
c7dd2a7b MW |
41 | /** |
42 | * Private data of a ike_auth_requested_t object. | |
43 | * | |
44 | */ | |
5796aa16 | 45 | struct private_ike_auth_requested_t { |
c7dd2a7b | 46 | /** |
9affa65c | 47 | * Public interface of ike_auth_requested_t. |
c7dd2a7b MW |
48 | */ |
49 | ike_auth_requested_t public; | |
50 | ||
c7dd2a7b | 51 | /** |
9affa65c | 52 | * Assigned IKE_SA. |
c7dd2a7b MW |
53 | */ |
54 | protected_ike_sa_t *ike_sa; | |
ccf783d2 MW |
55 | |
56 | /** | |
9affa65c | 57 | * SA config, just a copy of the one stored in the ike_sa. |
ccf783d2 | 58 | */ |
16b9a73c | 59 | policy_t *policy; |
0fdc3c7f JH |
60 | |
61 | /** | |
9affa65c | 62 | * Received nonce from responder. |
0fdc3c7f JH |
63 | */ |
64 | chunk_t received_nonce; | |
8d68033e JH |
65 | |
66 | /** | |
67 | * Sent nonce in IKE_SA_INIT request. | |
68 | */ | |
69 | chunk_t sent_nonce; | |
70 | ||
71 | /** | |
72 | * IKE_SA_INIT-Request in binary form. | |
73 | */ | |
74 | chunk_t ike_sa_init_reply_data; | |
30b5b412 | 75 | |
a527a426 MW |
76 | /** |
77 | * Proposal to setup CHILD_SA | |
78 | */ | |
79 | proposal_t *proposal; | |
80 | ||
81 | /** | |
82 | * Traffic selectors applicable at our site | |
83 | */ | |
84 | linked_list_t *my_ts; | |
85 | ||
86 | /** | |
87 | * Traffic selectors applicable at remote site | |
88 | */ | |
89 | linked_list_t *other_ts; | |
90 | ||
30b5b412 MW |
91 | /** |
92 | * Child sa created in ike_sa_init_requested | |
93 | */ | |
94 | child_sa_t *child_sa; | |
ccf783d2 MW |
95 | |
96 | /** | |
9affa65c | 97 | * Assigned Logger. |
ccf783d2 MW |
98 | * |
99 | * Is logger of ike_sa! | |
100 | */ | |
101 | logger_t *logger; | |
102 | ||
016dfc72 | 103 | /** |
9affa65c JH |
104 | * Process the IDr payload (check if other id is valid) |
105 | * | |
106 | * @param this calling object | |
107 | * @param idr_payload ID payload of responder | |
108 | * @return | |
109 | * - SUCCESS | |
110 | * - DELETE_ME | |
016dfc72 | 111 | */ |
ccf783d2 | 112 | status_t (*process_idr_payload) (private_ike_auth_requested_t *this, id_payload_t *idr_payload); |
016dfc72 MW |
113 | |
114 | /** | |
9affa65c JH |
115 | * Process the SA payload (check if selected proposals are valid, setup child sa) |
116 | * | |
117 | * @param this calling object | |
118 | * @param sa_payload SA payload of responder | |
119 | * | |
120 | * - SUCCESS | |
121 | * - DELETE_ME | |
016dfc72 | 122 | */ |
ccf783d2 | 123 | status_t (*process_sa_payload) (private_ike_auth_requested_t *this, sa_payload_t *sa_payload); |
016dfc72 MW |
124 | |
125 | /** | |
9affa65c JH |
126 | * Process the AUTH payload (check authenticity of message) |
127 | * | |
128 | * @param this calling object | |
129 | * @param auth_payload AUTH payload of responder | |
130 | * @param other_id_payload ID payload of responder | |
131 | * | |
132 | * - SUCCESS | |
133 | * - DELETE_ME | |
016dfc72 | 134 | */ |
0fdc3c7f | 135 | status_t (*process_auth_payload) (private_ike_auth_requested_t *this, auth_payload_t *auth_payload, id_payload_t *other_id_payload); |
016dfc72 MW |
136 | |
137 | /** | |
9affa65c JH |
138 | * Process the TS payload (check if selected traffic selectors are valid) |
139 | * | |
140 | * @param this calling object | |
141 | * @param ts_initiator TRUE if TS payload is TSi, FALSE for TSr | |
142 | * @param ts_payload TS payload of responder | |
143 | * | |
144 | * - SUCCESS | |
145 | * - DELETE_ME | |
016dfc72 | 146 | */ |
ccf783d2 | 147 | status_t (*process_ts_payload) (private_ike_auth_requested_t *this, bool ts_initiator, ts_payload_t *ts_payload); |
283dbcc5 MW |
148 | |
149 | /** | |
150 | * Process a notify payload | |
151 | * | |
e9c0ca15 JH |
152 | * @param this calling object |
153 | * @param notify_payload notify payload | |
283dbcc5 MW |
154 | * |
155 | * - SUCCESS | |
e9c0ca15 | 156 | * - FAILED |
283dbcc5 MW |
157 | * - DELETE_ME |
158 | */ | |
159 | status_t (*process_notify_payload) (private_ike_auth_requested_t *this, notify_payload_t *notify_payload); | |
30b5b412 MW |
160 | |
161 | /** | |
162 | * Destroy function called internally of this class after state change to | |
163 | * state IKE_SA_ESTABLISHED succeeded. | |
164 | * | |
165 | * This destroy function does not destroy objects which were passed to the new state. | |
166 | * | |
167 | * @param this calling object | |
168 | */ | |
169 | void (*destroy_after_state_change) (private_ike_auth_requested_t *this); | |
c7dd2a7b MW |
170 | }; |
171 | ||
ccf783d2 | 172 | |
c7dd2a7b | 173 | /** |
ccf783d2 MW |
174 | * Implements state_t.process_message |
175 | */ | |
94b0f906 | 176 | static status_t process_message(private_ike_auth_requested_t *this, message_t *ike_auth_reply) |
ccf783d2 | 177 | { |
283dbcc5 | 178 | ts_payload_t *tsi_payload = NULL, *tsr_payload = NULL; |
ccb37df2 | 179 | id_payload_t *idr_payload = NULL; |
283dbcc5 MW |
180 | auth_payload_t *auth_payload = NULL; |
181 | sa_payload_t *sa_payload = NULL; | |
182 | iterator_t *payloads = NULL; | |
183 | crypter_t *crypter = NULL; | |
184 | signer_t *signer = NULL; | |
9affa65c | 185 | status_t status; |
283dbcc5 | 186 | host_t *my_host, *other_host; |
a527a426 MW |
187 | chunk_t seed; |
188 | prf_plus_t *prf_plus; | |
16b9a73c | 189 | connection_t *connection; |
ccf783d2 | 190 | |
9affa65c | 191 | if (ike_auth_reply->get_exchange_type(ike_auth_reply) != IKE_AUTH) |
ccf783d2 | 192 | { |
aee3eb52 | 193 | this->logger->log(this->logger, ERROR | LEVEL1, "Message of type %s not supported in state ike_auth_requested", |
9affa65c | 194 | mapping_find(exchange_type_m,ike_auth_reply->get_exchange_type(ike_auth_reply))); |
ccf783d2 MW |
195 | return FAILED; |
196 | } | |
197 | ||
94b0f906 | 198 | if (ike_auth_reply->get_request(ike_auth_reply)) |
ccf783d2 | 199 | { |
283dbcc5 | 200 | this->logger->log(this->logger, ERROR | LEVEL1, "IKE_AUTH requests not allowed state ike_sa_init_responded"); |
ccf783d2 MW |
201 | return FAILED; |
202 | } | |
203 | ||
204 | /* get signer for verification and crypter for decryption */ | |
205 | signer = this->ike_sa->get_signer_responder(this->ike_sa); | |
206 | crypter = this->ike_sa->get_crypter_responder(this->ike_sa); | |
207 | ||
208 | /* parse incoming message */ | |
94b0f906 | 209 | status = ike_auth_reply->parse_body(ike_auth_reply, crypter, signer); |
ccf783d2 MW |
210 | if (status != SUCCESS) |
211 | { | |
e9c0ca15 | 212 | this->logger->log(this->logger, AUDIT, "IKE_AUTH reply decryption failed. Ignoring message"); |
ccf783d2 MW |
213 | return status; |
214 | } | |
215 | ||
16b9a73c | 216 | this->policy = this->ike_sa->get_policy(this->ike_sa); |
ccf783d2 | 217 | |
283dbcc5 MW |
218 | /* we collect all payloads, which are processed later. Notify's are processed |
219 | * in place, since we don't know how may are there. | |
220 | */ | |
94b0f906 | 221 | payloads = ike_auth_reply->get_payload_iterator(ike_auth_reply); |
ccf783d2 MW |
222 | while (payloads->has_next(payloads)) |
223 | { | |
224 | payload_t *payload; | |
225 | payloads->current(payloads, (void**)&payload); | |
226 | ||
227 | switch (payload->get_type(payload)) | |
228 | { | |
229 | case AUTHENTICATION: | |
230 | { | |
231 | auth_payload = (auth_payload_t*)payload; | |
232 | break; | |
233 | } | |
234 | case ID_RESPONDER: | |
235 | { | |
236 | idr_payload = (id_payload_t*)payload; | |
237 | break; | |
238 | } | |
239 | case SECURITY_ASSOCIATION: | |
240 | { | |
241 | sa_payload = (sa_payload_t*)payload; | |
242 | break; | |
243 | } | |
ccf783d2 MW |
244 | case TRAFFIC_SELECTOR_INITIATOR: |
245 | { | |
246 | tsi_payload = (ts_payload_t*)payload; | |
247 | break; | |
248 | } | |
249 | case TRAFFIC_SELECTOR_RESPONDER: | |
250 | { | |
251 | tsr_payload = (ts_payload_t*)payload; | |
252 | break; | |
253 | } | |
94b0f906 JH |
254 | case NOTIFY: |
255 | { | |
256 | notify_payload_t *notify_payload = (notify_payload_t *) payload; | |
283dbcc5 MW |
257 | /* handle the notify directly, abort if no further processing required */ |
258 | status = this->process_notify_payload(this, notify_payload); | |
259 | if (status != SUCCESS) | |
94b0f906 | 260 | { |
94b0f906 | 261 | payloads->destroy(payloads); |
283dbcc5 | 262 | return status; |
94b0f906 JH |
263 | } |
264 | } | |
283dbcc5 MW |
265 | case CERTIFICATE: |
266 | { | |
267 | /* TODO handle cert payloads */ | |
268 | } | |
ccf783d2 MW |
269 | default: |
270 | { | |
283dbcc5 MW |
271 | this->logger->log(this->logger, ERROR|LEVEL1, "Ignoring Payload %s (%d)", |
272 | mapping_find(payload_type_m, payload->get_type(payload)), payload->get_type(payload)); | |
9affa65c | 273 | break; |
ccf783d2 MW |
274 | } |
275 | } | |
276 | } | |
277 | /* iterator can be destroyed */ | |
278 | payloads->destroy(payloads); | |
283dbcc5 MW |
279 | |
280 | /* check if we have all payloads */ | |
281 | if (!(idr_payload && sa_payload && auth_payload && tsi_payload && tsr_payload)) | |
282 | { | |
283 | this->logger->log(this->logger, AUDIT, "IKE_AUTH reply did not contain all required payloads. Deleting IKE_SA"); | |
284 | return DELETE_ME; | |
285 | } | |
ccb37df2 | 286 | |
016dfc72 | 287 | /* process all payloads */ |
ccf783d2 MW |
288 | status = this->process_idr_payload(this, idr_payload); |
289 | if (status != SUCCESS) | |
290 | { | |
ccf783d2 MW |
291 | return status; |
292 | } | |
fb8aa445 | 293 | status = this->process_auth_payload(this, auth_payload,idr_payload); |
ccf783d2 MW |
294 | if (status != SUCCESS) |
295 | { | |
ccf783d2 MW |
296 | return status; |
297 | } | |
fb8aa445 | 298 | status = this->process_sa_payload(this, sa_payload); |
ccf783d2 MW |
299 | if (status != SUCCESS) |
300 | { | |
ccf783d2 MW |
301 | return status; |
302 | } | |
303 | status = this->process_ts_payload(this, TRUE, tsi_payload); | |
304 | if (status != SUCCESS) | |
305 | { | |
ccf783d2 MW |
306 | return status; |
307 | } | |
308 | status = this->process_ts_payload(this, FALSE, tsr_payload); | |
309 | if (status != SUCCESS) | |
310 | { | |
ccf783d2 MW |
311 | return status; |
312 | } | |
a527a426 MW |
313 | |
314 | /* install child SAs for AH and esp */ | |
315 | if (!this->child_sa) | |
316 | { | |
317 | this->logger->log(this->logger, CONTROL, "No CHILD_SA requested, no CHILD_SA built"); | |
318 | } | |
319 | if (!this->proposal) | |
320 | { | |
321 | this->logger->log(this->logger, CONTROL, "Proposal negotiation failed, no CHILD_SA built"); | |
5d187bd2 MW |
322 | this->child_sa->destroy(this->child_sa); |
323 | this->child_sa = NULL; | |
a527a426 MW |
324 | } |
325 | else if (this->my_ts->get_count(this->my_ts) == 0 || this->other_ts->get_count(this->other_ts) == 0) | |
326 | { | |
327 | this->logger->log(this->logger, CONTROL, "Traffic selector negotiation failed, no CHILD_SA built"); | |
5d187bd2 MW |
328 | this->child_sa->destroy(this->child_sa); |
329 | this->child_sa = NULL; | |
a527a426 MW |
330 | } |
331 | else | |
332 | { | |
5113680f | 333 | seed = chunk_alloc(this->sent_nonce.len + this->received_nonce.len); |
a527a426 MW |
334 | memcpy(seed.ptr, this->sent_nonce.ptr, this->sent_nonce.len); |
335 | memcpy(seed.ptr + this->sent_nonce.len, this->received_nonce.ptr, this->received_nonce.len); | |
336 | prf_plus = prf_plus_create(this->ike_sa->get_child_prf(this->ike_sa), seed); | |
5113680f | 337 | chunk_free(&seed); |
a527a426 MW |
338 | |
339 | status = this->child_sa->update(this->child_sa, this->proposal, prf_plus); | |
340 | prf_plus->destroy(prf_plus); | |
341 | if (status != SUCCESS) | |
342 | { | |
343 | this->logger->log(this->logger, AUDIT, "Could not install CHILD_SA! Deleting IKE_SA"); | |
344 | return DELETE_ME; | |
345 | } | |
5d187bd2 | 346 | status = this->child_sa->add_policies(this->child_sa, this->my_ts, this->other_ts); |
a527a426 MW |
347 | if (status != SUCCESS) |
348 | { | |
349 | this->logger->log(this->logger, AUDIT, "Could not install CHILD_SA policy! Deleting IKE_SA"); | |
350 | return DELETE_ME; | |
351 | } | |
352 | this->ike_sa->add_child_sa(this->ike_sa, this->child_sa); | |
353 | } | |
354 | ||
94b0f906 | 355 | this->ike_sa->set_last_replied_message_id(this->ike_sa,ike_auth_reply->get_message_id(ike_auth_reply)); |
87a217f9 | 356 | |
ccf783d2 | 357 | /* create new state */ |
87a217f9 MW |
358 | this->ike_sa->set_new_state(this->ike_sa, (state_t*)ike_sa_established_create(this->ike_sa)); |
359 | this->destroy_after_state_change(this); | |
360 | ||
16b9a73c MW |
361 | connection = this->ike_sa->get_connection(this->ike_sa); |
362 | my_host = connection->get_my_host(connection); | |
363 | other_host = connection->get_other_host(connection); | |
87a217f9 MW |
364 | this->logger->log(this->logger, AUDIT, "IKE_SA established between %s - %s", |
365 | my_host->get_address(my_host), other_host->get_address(other_host)); | |
366 | ||
ccf783d2 MW |
367 | return SUCCESS; |
368 | } | |
369 | ||
370 | /** | |
016dfc72 | 371 | * Implements private_ike_auth_requested_t.process_idr_payload |
c7dd2a7b | 372 | */ |
ccf783d2 | 373 | static status_t process_idr_payload(private_ike_auth_requested_t *this, id_payload_t *idr_payload) |
c7dd2a7b | 374 | { |
ccf783d2 | 375 | identification_t *other_id, *configured_other_id; |
eea35346 | 376 | connection_t *connection; |
ccf783d2 | 377 | |
01de2f3c | 378 | other_id = idr_payload->get_identification(idr_payload); |
16b9a73c | 379 | configured_other_id = this->policy->get_other_id(this->policy); |
eea35346 MW |
380 | |
381 | this->logger->log(this->logger, CONTROL|LEVEL1, "configured ID: %s, ID of responder: %s", | |
382 | configured_other_id->get_string(configured_other_id), | |
383 | other_id->get_string(other_id)); | |
384 | ||
385 | if (!other_id->belongs_to(other_id, configured_other_id)) | |
ccf783d2 | 386 | { |
eea35346 MW |
387 | other_id->destroy(other_id); |
388 | this->logger->log(this->logger, AUDIT, "IKE_AUTH reply contained a not acceptable ID. Deleting IKE_SA"); | |
389 | return DELETE_ME; | |
ccf783d2 | 390 | } |
01de2f3c | 391 | |
eea35346 MW |
392 | connection = this->ike_sa->get_connection(this->ike_sa); |
393 | connection->update_other_id(connection, other_id->clone(other_id)); | |
394 | ||
395 | this->policy->update_other_id(this->policy, other_id); | |
ccf783d2 MW |
396 | return SUCCESS; |
397 | } | |
398 | ||
399 | /** | |
016dfc72 | 400 | * Implements private_ike_auth_requested_t.process_sa_payload |
ccf783d2 MW |
401 | */ |
402 | static status_t process_sa_payload(private_ike_auth_requested_t *this, sa_payload_t *sa_payload) | |
403 | { | |
ce461bbd | 404 | proposal_t *proposal, *proposal_tmp; |
c06dbbab | 405 | linked_list_t *proposal_list; |
93df94ac | 406 | |
dfa6e086 | 407 | /* get his selected proposal */ |
ce461bbd | 408 | proposal_list = sa_payload->get_proposals(sa_payload); |
c06dbbab MW |
409 | /* check count of proposals */ |
410 | if (proposal_list->get_count(proposal_list) == 0) | |
ccf783d2 | 411 | { |
dfa6e086 | 412 | /* no proposal? we accept this, but no child sa is built */ |
c06dbbab MW |
413 | this->logger->log(this->logger, AUDIT, "IKE_AUTH reply's SA_PAYLOAD didn't contain any proposals. No CHILD_SA created", |
414 | proposal_list->get_count(proposal_list)); | |
dfa6e086 | 415 | proposal_list->destroy(proposal_list); |
283dbcc5 | 416 | return SUCCESS; |
ccf783d2 | 417 | } |
c06dbbab | 418 | if (proposal_list->get_count(proposal_list) > 1) |
ccf783d2 | 419 | { |
c06dbbab MW |
420 | this->logger->log(this->logger, AUDIT, "IKE_AUTH reply's SA_PAYLOAD contained %d proposal. Deleting IKE_SA", |
421 | proposal_list->get_count(proposal_list)); | |
dfa6e086 MW |
422 | while (proposal_list->remove_last(proposal_list, (void**)&proposal) == SUCCESS) |
423 | { | |
424 | proposal->destroy(proposal); | |
425 | } | |
426 | proposal_list->destroy(proposal_list); | |
9affa65c | 427 | return DELETE_ME; |
ccf783d2 MW |
428 | } |
429 | ||
c06dbbab | 430 | /* we have to re-check here if other's selection is valid */ |
16b9a73c | 431 | proposal = this->policy->select_proposal(this->policy, proposal_list); |
dfa6e086 MW |
432 | /* list not needed anymore */ |
433 | while (proposal_list->remove_last(proposal_list, (void**)&proposal_tmp) == SUCCESS) | |
434 | { | |
435 | proposal_tmp->destroy(proposal_tmp); | |
436 | } | |
437 | proposal_list->destroy(proposal_list); | |
438 | /* got a match? */ | |
c06dbbab | 439 | if (proposal == NULL) |
ccf783d2 | 440 | { |
283dbcc5 | 441 | this->logger->log(this->logger, AUDIT, "IKE_AUTH reply contained a not offered proposal. Deleting IKE_SA"); |
9affa65c | 442 | return DELETE_ME; |
ccf783d2 | 443 | } |
aeda79ff | 444 | |
a527a426 MW |
445 | /* apply proposal */ |
446 | this->proposal = proposal; | |
dfa6e086 | 447 | |
c7dd2a7b MW |
448 | return SUCCESS; |
449 | } | |
450 | ||
ccf783d2 | 451 | /** |
016dfc72 | 452 | * Implements private_ike_auth_requested_t.process_auth_payload |
ccf783d2 | 453 | */ |
0fdc3c7f | 454 | static status_t process_auth_payload(private_ike_auth_requested_t *this, auth_payload_t *auth_payload, id_payload_t *other_id_payload) |
ccf783d2 | 455 | { |
0fdc3c7f | 456 | authenticator_t *authenticator; |
8d68033e | 457 | status_t status; |
8d68033e | 458 | |
0fdc3c7f | 459 | authenticator = authenticator_create(this->ike_sa); |
f6ba78c3 | 460 | status = authenticator->verify_auth_data(authenticator,auth_payload,this->ike_sa_init_reply_data,this->sent_nonce,other_id_payload,FALSE); |
0fdc3c7f | 461 | authenticator->destroy(authenticator); |
8d68033e JH |
462 | if (status != SUCCESS) |
463 | { | |
283dbcc5 | 464 | this->logger->log(this->logger, AUDIT, "Verification of IKE_AUTH reply failed. Deleting IKE_SA"); |
9affa65c | 465 | return DELETE_ME; |
8d68033e JH |
466 | } |
467 | ||
283dbcc5 | 468 | this->logger->log(this->logger, CONTROL|LEVEL1, "AUTH data verified successfully"); |
ccf783d2 MW |
469 | return SUCCESS; |
470 | } | |
471 | ||
472 | /** | |
016dfc72 | 473 | * Implements private_ike_auth_requested_t.process_ts_payload |
ccf783d2 MW |
474 | */ |
475 | static status_t process_ts_payload(private_ike_auth_requested_t *this, bool ts_initiator, ts_payload_t *ts_payload) | |
476 | { | |
a527a426 MW |
477 | linked_list_t *ts_received, *ts_selected; |
478 | traffic_selector_t *ts; | |
ccf783d2 MW |
479 | |
480 | /* get ts form payload */ | |
a527a426 | 481 | ts_received = ts_payload->get_traffic_selectors(ts_payload); |
ccf783d2 MW |
482 | /* select ts depending on payload type */ |
483 | if (ts_initiator) | |
484 | { | |
16b9a73c | 485 | ts_selected = this->policy->select_my_traffic_selectors(this->policy, ts_received); |
a527a426 | 486 | this->my_ts = ts_selected; |
ccf783d2 MW |
487 | } |
488 | else | |
489 | { | |
16b9a73c | 490 | ts_selected = this->policy->select_other_traffic_selectors(this->policy, ts_received); |
a527a426 | 491 | this->other_ts = ts_selected; |
ccf783d2 MW |
492 | } |
493 | /* check if the responder selected valid proposals */ | |
a527a426 | 494 | if (ts_selected->get_count(ts_selected) != ts_received->get_count(ts_received)) |
ccf783d2 | 495 | { |
f4d8999c | 496 | this->logger->log(this->logger, AUDIT, "IKE_AUTH reply contained not offered traffic selectors."); |
ccf783d2 MW |
497 | } |
498 | ||
499 | /* cleanup */ | |
a527a426 | 500 | while (ts_received->remove_last(ts_received, (void**)&ts) == SUCCESS) |
ccf783d2 | 501 | { |
ccf783d2 MW |
502 | ts->destroy(ts); |
503 | } | |
a527a426 MW |
504 | ts_received->destroy(ts_received); |
505 | ||
506 | return SUCCESS; | |
ccf783d2 | 507 | } |
283dbcc5 MW |
508 | |
509 | /** | |
510 | * Implements private_ike_auth_requested_t.process_notify_payload | |
511 | */ | |
512 | static status_t process_notify_payload(private_ike_auth_requested_t *this, notify_payload_t *notify_payload) | |
513 | { | |
514 | notify_message_type_t notify_message_type = notify_payload->get_notify_message_type(notify_payload); | |
515 | ||
dec59822 MW |
516 | this->logger->log(this->logger, CONTROL|LEVEL1, "Process notify type %s", |
517 | mapping_find(notify_message_type_m, notify_message_type)); | |
283dbcc5 MW |
518 | |
519 | switch (notify_message_type) | |
520 | { | |
521 | case INVALID_SYNTAX: | |
522 | { | |
523 | this->logger->log(this->logger, AUDIT, "IKE_AUTH reply contained an INVALID_SYNTAX notify. Deleting IKE_SA"); | |
524 | return DELETE_ME; | |
525 | ||
526 | } | |
527 | case AUTHENTICATION_FAILED: | |
528 | { | |
529 | this->logger->log(this->logger, AUDIT, "IKE_AUTH reply contained an AUTHENTICATION_FAILED notify. Deleting IKE_SA"); | |
530 | return DELETE_ME; | |
531 | ||
532 | } | |
533 | case SINGLE_PAIR_REQUIRED: | |
534 | { | |
535 | this->logger->log(this->logger, AUDIT, "IKE_AUTH reply contained a SINGLE_PAIR_REQUIRED notify. Deleting IKE_SA"); | |
536 | return DELETE_ME; | |
537 | } | |
538 | default: | |
539 | { | |
540 | /* | |
541 | * - In case of unknown error: IKE_SA gets destroyed. | |
542 | * - In case of unknown status: logging | |
543 | */ | |
544 | ||
545 | if (notify_message_type < 16383) | |
546 | { | |
547 | this->logger->log(this->logger, AUDIT, "IKE_AUTH reply contained an unknown notify error (%d). Deleting IKE_SA", | |
548 | notify_message_type); | |
549 | return DELETE_ME; | |
550 | ||
551 | } | |
552 | else | |
553 | { | |
5346c894 MW |
554 | this->logger->log(this->logger, CONTROL, "IKE_AUTH reply contained an unknown notify (%d), ignored.", |
555 | notify_message_type); | |
283dbcc5 MW |
556 | return SUCCESS; |
557 | } | |
558 | } | |
559 | } | |
560 | } | |
561 | ||
c7dd2a7b MW |
562 | /** |
563 | * Implements state_t.get_state | |
564 | */ | |
565 | static ike_sa_state_t get_state(private_ike_auth_requested_t *this) | |
566 | { | |
567 | return IKE_AUTH_REQUESTED; | |
568 | } | |
569 | ||
570 | /** | |
571 | * Implements state_t.get_state | |
572 | */ | |
d048df5c | 573 | static void destroy(private_ike_auth_requested_t *this) |
30b5b412 | 574 | { |
5113680f MW |
575 | chunk_free(&(this->received_nonce)); |
576 | chunk_free(&(this->sent_nonce)); | |
577 | chunk_free(&(this->ike_sa_init_reply_data)); | |
30b5b412 MW |
578 | if (this->child_sa) |
579 | { | |
580 | this->child_sa->destroy(this->child_sa); | |
581 | } | |
a527a426 MW |
582 | if (this->my_ts) |
583 | { | |
584 | traffic_selector_t *ts; | |
585 | while (this->my_ts->remove_last(this->my_ts, (void**)&ts) == SUCCESS) | |
586 | { | |
587 | ts->destroy(ts); | |
588 | } | |
589 | this->my_ts->destroy(this->my_ts); | |
590 | } | |
591 | if (this->other_ts) | |
592 | { | |
593 | traffic_selector_t *ts; | |
594 | while (this->other_ts->remove_last(this->other_ts, (void**)&ts) == SUCCESS) | |
595 | { | |
596 | ts->destroy(ts); | |
597 | } | |
598 | this->other_ts->destroy(this->other_ts); | |
599 | } | |
600 | if (this->proposal) | |
601 | { | |
602 | this->proposal->destroy(this->proposal); | |
603 | } | |
5113680f | 604 | free(this); |
30b5b412 MW |
605 | } |
606 | /** | |
607 | * Implements protected_ike_sa_t.destroy_after_state_change | |
608 | */ | |
609 | static void destroy_after_state_change(private_ike_auth_requested_t *this) | |
c7dd2a7b | 610 | { |
5113680f MW |
611 | chunk_free(&(this->received_nonce)); |
612 | chunk_free(&(this->sent_nonce)); | |
613 | chunk_free(&(this->ike_sa_init_reply_data)); | |
a527a426 MW |
614 | if (this->my_ts) |
615 | { | |
616 | traffic_selector_t *ts; | |
617 | while (this->my_ts->remove_last(this->my_ts, (void**)&ts) == SUCCESS) | |
618 | { | |
619 | ts->destroy(ts); | |
620 | } | |
621 | this->my_ts->destroy(this->my_ts); | |
622 | } | |
623 | if (this->other_ts) | |
624 | { | |
625 | traffic_selector_t *ts; | |
626 | while (this->other_ts->remove_last(this->other_ts, (void**)&ts) == SUCCESS) | |
627 | { | |
628 | ts->destroy(ts); | |
629 | } | |
630 | this->other_ts->destroy(this->other_ts); | |
631 | } | |
632 | if (this->proposal) | |
633 | { | |
634 | this->proposal->destroy(this->proposal); | |
635 | } | |
5113680f | 636 | free(this); |
c7dd2a7b MW |
637 | } |
638 | ||
639 | /* | |
640 | * Described in header. | |
641 | */ | |
30b5b412 | 642 | ike_auth_requested_t *ike_auth_requested_create(protected_ike_sa_t *ike_sa,chunk_t sent_nonce,chunk_t received_nonce,chunk_t ike_sa_init_reply_data, child_sa_t *child_sa) |
c7dd2a7b | 643 | { |
5113680f | 644 | private_ike_auth_requested_t *this = malloc_thing(private_ike_auth_requested_t); |
c7dd2a7b MW |
645 | |
646 | /* interface functions */ | |
aad398a7 | 647 | this->public.state_interface.process_message = (status_t (*) (state_t *,message_t *)) process_message; |
c7dd2a7b | 648 | this->public.state_interface.get_state = (ike_sa_state_t (*) (state_t *)) get_state; |
d048df5c | 649 | this->public.state_interface.destroy = (void (*) (state_t *)) destroy; |
c7dd2a7b | 650 | |
ccf783d2 | 651 | /* private functions */ |
ccf783d2 MW |
652 | this->process_idr_payload = process_idr_payload; |
653 | this->process_sa_payload = process_sa_payload; | |
654 | this->process_auth_payload = process_auth_payload; | |
655 | this->process_ts_payload = process_ts_payload; | |
283dbcc5 | 656 | this->process_notify_payload = process_notify_payload; |
30b5b412 | 657 | this->destroy_after_state_change = destroy_after_state_change; |
ccf783d2 | 658 | |
c7dd2a7b MW |
659 | /* private data */ |
660 | this->ike_sa = ike_sa; | |
0fdc3c7f | 661 | this->received_nonce = received_nonce; |
8d68033e JH |
662 | this->sent_nonce = sent_nonce; |
663 | this->ike_sa_init_reply_data = ike_sa_init_reply_data; | |
5113680f | 664 | this->logger = logger_manager->get_logger(logger_manager, IKE_SA); |
a527a426 MW |
665 | this->my_ts = NULL; |
666 | this->other_ts = NULL; | |
667 | this->proposal = NULL; | |
30b5b412 | 668 | this->child_sa = child_sa; |
c7dd2a7b MW |
669 | |
670 | return &(this->public); | |
671 | } |