init_config_t *init_config1, *init_config2, *init_config3;
ike_proposal_t proposals[2];
child_proposal_t child_proposals[1];
- sa_config_t *sa_config1, *sa_config2;
+ sa_config_t *sa_config1, *sa_config2, *sa_config3;
traffic_selector_t *ts;
init_config1 = init_config_create("152.96.193.131","152.96.193.131",IKEV2_UDP_PORT,IKEV2_UDP_PORT);
sa_config2->add_traffic_selector_initiator(sa_config2,ts);
sa_config2->add_traffic_selector_responder(sa_config2,ts);
+
+ sa_config3 = sa_config_create(ID_IPV4_ADDR, "127.0.0.1",
+ ID_IPV4_ADDR, "127.0.0.1",
+ SHARED_KEY_MESSAGE_INTEGRITY_CODE);
+
+ sa_config3->add_traffic_selector_initiator(sa_config3,ts);
+ sa_config3->add_traffic_selector_responder(sa_config3,ts);
ts->destroy(ts);
child_proposals[0].esp.encryption_algorithm = ENCR_AES_CBC;
child_proposals[0].esp.encryption_algorithm_key_size = 16;
child_proposals[0].esp.integrity_algorithm = AUTH_UNDEFINED;
+ child_proposals[0].esp.extended_sequence_numbers = NO_EXT_SEQ_NUMBERS;
child_proposals[0].esp.spi[0] = 2;
child_proposals[0].esp.spi[1] = 2;
child_proposals[0].esp.spi[2] = 2;
sa_config1->add_proposal(sa_config1, &child_proposals[0]);
sa_config2->add_proposal(sa_config2, &child_proposals[0]);
+ sa_config3->add_proposal(sa_config3, &child_proposals[0]);
this->add_new_configuration(this,"pinflb31",init_config1,sa_config2);
this->add_new_configuration(this,"pinflb30",init_config2,sa_config1);
- this->add_new_configuration(this,"localhost",init_config3,sa_config1);
+ this->add_new_configuration(this,"localhost",init_config3,sa_config3);
}
*/
static bool proposal_equals(private_sa_config_t *this, child_proposal_t *first, child_proposal_t *second)
{
+ /*
+ * Proto ? Mandatory ? Optional
+ * -----------------------------------
+ * ESP ? ENCR ? INTEG, D-H, ESN
+ * AH ? INTEG ? D-H, ESN
+ */
+
+ /* equality defaults to false, so return is FALSE if ah and esp not set */
bool equal = FALSE;
+ /* check ah, if set */
if (first->ah.is_set && second->ah.is_set)
{
- if ((first->ah.integrity_algorithm != second->ah.integrity_algorithm) ||
- (first->ah.integrity_algorithm_key_size != second->ah.integrity_algorithm_key_size) ||
- (first->ah.diffie_hellman_group != second->ah.diffie_hellman_group) ||
- (first->ah.extended_sequence_numbers != second->ah.extended_sequence_numbers))
+ /* integrity alg is mandatory, with key size */
+ if ((first->ah.integrity_algorithm == second->ah.integrity_algorithm) &&
+ (first->ah.integrity_algorithm_key_size == second->ah.integrity_algorithm_key_size))
{
- return FALSE;
+ /* dh group is optional, but must be NOT_SET when not set */
+ if (first->ah.diffie_hellman_group != second->ah.diffie_hellman_group)
+ {
+ return FALSE;
+ }
+ /* sequence numbers is optional, but must be NOT_SET when not set */
+ if (first->ah.extended_sequence_numbers != second->ah.extended_sequence_numbers)
+ {
+ return FALSE;
+ }
+ /* all checked, ah seems ok */
+ equal = TRUE;
+ }
+ else
+ {
+ return FALSE;
}
- equal = TRUE;
}
+ /* check esp, if set */
if (first->esp.is_set && second->esp.is_set)
{
- if ((first->esp.encryption_algorithm != second->esp.encryption_algorithm) ||
- (first->esp.encryption_algorithm_key_size != second->esp.encryption_algorithm_key_size) ||
- (first->esp.integrity_algorithm != second->esp.integrity_algorithm) ||
- (first->esp.integrity_algorithm_key_size != second->esp.integrity_algorithm_key_size) ||
- (first->esp.diffie_hellman_group != second->esp.diffie_hellman_group) ||
- (first->esp.extended_sequence_numbers != second->esp.extended_sequence_numbers))
+ /* encryption alg is mandatory, with key size */
+ if ((first->esp.encryption_algorithm == second->esp.encryption_algorithm) &&
+ (first->esp.encryption_algorithm_key_size == second->esp.encryption_algorithm_key_size))
+ {
+ /* int alg is optional, check key only when not NOT_SET */
+ if (first->esp.integrity_algorithm != second->esp.integrity_algorithm)
+ {
+ return FALSE;
+ }
+ if ((first->esp.integrity_algorithm != AUTH_UNDEFINED) &&
+ (first->esp.integrity_algorithm_key_size != second->esp.integrity_algorithm_key_size))
+ {
+ return FALSE;
+ }
+ /* dh group is optional, but must be NOT_SET when not set */
+ if (first->esp.diffie_hellman_group != second->esp.diffie_hellman_group)
+ {
+ return FALSE;
+ }
+ if (first->esp.extended_sequence_numbers != second->esp.extended_sequence_numbers)
+ {
+ return FALSE;
+ }
+ /* all checked, esp seems ok */
+ equal = TRUE;
+ }
+ else
{
- return FALSE;
+ return FALSE;
}
- equal = TRUE;
}
return equal;
}
status = encryption_payload->decrypt(encryption_payload);
if (status != SUCCESS)
{
- this->logger->log(this->logger, ERROR | MORE, "Encrypted payload could not be decrypted and parsed");
+ this->logger->log(this->logger, ERROR | MORE, "Encrypted payload could not be decrypted and parsed: %s",
+ mapping_find(status_m, status));
iterator->destroy(iterator);
return status;
}
#include "encryption_payload.h"
+#include <daemon.h>
#include <encoding/payloads/encodings.h>
#include <utils/allocator.h>
#include <utils/linked_list.h>
+#include <utils/logger.h>
#include <encoding/generator.h>
#include <encoding/parser.h>
#include <utils/iterator.h>
*/
linked_list_t *payloads;
+ /**
+ * logger for this payload, uses MESSAGE context
+ */
+ logger_t *logger;
+
/**
* @brief Computes the length of this payload.
*
* @param this calling private_encryption_payload_t object
*/
void (*generate) (private_encryption_payload_t *this);
+
+ /**
+ * @brief Parse payloads from a (unencrypted) chunk.
+ *
+ * @param this calling private_encryption_payload_t object
+ */
status_t (*parse) (private_encryption_payload_t *this);
};
return SUCCESS;
}
-/**
- * Implementation of payload_t.destroy.
- */
-static void destroy(private_encryption_payload_t *this)
-{
- /* all proposals are getting destroyed */
- while (this->payloads->get_count(this->payloads) > 0)
- {
- payload_t *current_payload;
- this->payloads->remove_last(this->payloads,(void **)¤t_payload);
- current_payload->destroy(current_payload);
- }
- this->payloads->destroy(this->payloads);
- allocator_free(this->encrypted.ptr);
- allocator_free(this->decrypted.ptr);
- allocator_free(this);
-}
-
/**
* Implementation of payload_t.get_encoding_rules.
*/
if (this->signer == NULL || this->crypter == NULL)
{
+ this->logger->log(this->logger, ERROR, "could not encrypt, signer/crypter not set");
return INVALID_STATE;
}
/* for random data in iv and padding */
randomizer = randomizer_create();
+
/* build payload chunk */
this->generate(this);
+ this->logger->log(this->logger, CONTROL|MOST, "encrypting payloads");
+
/* build padding */
block_size = this->crypter->get_block_size(this->crypter);
padding.len = block_size - ((this->decrypted.len + 1) % block_size);
allocator_free(to_crypt.ptr);
if (status != SUCCESS)
{
+ this->logger->log(this->logger, ERROR, "encryption failed");
allocator_free(iv.ptr);
return status;
}
u_int8_t padding_length;
status_t status;
+
+ this->logger->log(this->logger, CONTROL|MOST, "decrypting encryption payload");
+
if (this->signer == NULL || this->crypter == NULL)
{
+ this->logger->log(this->logger, ERROR, "could not decrypt, no crypter/signer set");
return INVALID_STATE;
}
*/
if (concatenated.len < iv.len)
{
+ this->logger->log(this->logger, ERROR, "could not decrypt, invalid input");
return FAILED;
}
status = this->crypter->decrypt(this->crypter, concatenated, iv, &(this->decrypted));
if (status != SUCCESS)
{
+ this->logger->log(this->logger, ERROR, "could not decrypt, decryption failed");
return FAILED;
}
/* check size again */
if (padding_length > concatenated.len || this->decrypted.len < 0)
{
+ this->logger->log(this->logger, ERROR, "decryption failed, invalid padding length found. Invalid key ?");
/* decryption failed :-/ */
return FAILED;
}
/* free padding */
this->decrypted.ptr = allocator_realloc(this->decrypted.ptr, this->decrypted.len);
+ this->logger->log(this->logger, CONTROL|MOST, "decryption successful, trying to parse content");
return (this->parse(this));
}
if (this->signer == NULL)
{
+ this->logger->log(this->logger, ERROR, "unable to build signature, no signer set");
return INVALID_STATE;
}
sig.len = this->signer->get_block_size(this->signer);
data_without_sig.len -= sig.len;
sig.ptr = data.ptr + data_without_sig.len;
+ this->logger->log(this->logger, CONTROL|MOST, "building signature");
this->signer->get_signature(this->signer, data_without_sig, sig.ptr);
return SUCCESS;
}
if (this->signer == NULL)
{
+ this->logger->log(this->logger, ERROR, "unable to verify signature, no signer set");
return INVALID_STATE;
}
/* find signature in data chunk */
sig.len = this->signer->get_block_size(this->signer);
if (data.len <= sig.len)
{
+ this->logger->log(this->logger, ERROR|MORE, "unable to verify signature, invalid input");
return FAILED;
}
sig.ptr = data.ptr + data.len - sig.len;
if (!valid)
{
+ this->logger->log(this->logger, ERROR|MORE, "signature verification failed");
return FAILED;
}
+ this->logger->log(this->logger, CONTROL|MOST, "signature verification successful");
return SUCCESS;
}
else
{
/* no paylads? */
+ this->logger->log(this->logger, CONTROL|MOST, "generating contained payloads, but no available");
allocator_free(this->decrypted.ptr);
this->decrypted = CHUNK_INITIALIZER;
iterator->destroy(iterator);
generator->write_to_chunk(generator, &(this->decrypted));
generator->destroy(generator);
+ this->logger->log(this->logger, CONTROL|MOST, "successfully generated content in encrpytion payload");
}
/**
/* check if there is decrypted data */
if (this->decrypted.ptr == NULL)
{
+ this->logger->log(this->logger, ERROR, "unable to parse, no input!");
return INVALID_STATE;
}
status = current_payload->verify(current_payload);
if (status != SUCCESS)
{
+
+ this->logger->log(this->logger, ERROR, "%s verification failed: %s",
+ mapping_find(payload_type_m,current_payload->get_type(current_payload)),
+ mapping_find(status_m, status));
current_payload->destroy(current_payload);
parser->destroy(parser);
return VERIFY_ERROR;
this->payloads->insert_last(this->payloads,current_payload);
}
parser->destroy(parser);
+ this->logger->log(this->logger, CONTROL|MOST, "succesfully parsed content of encryption payload");
return SUCCESS;
}
this->payload_length = length;
}
+
+/**
+ * Implementation of payload_t.destroy.
+ */
+static void destroy(private_encryption_payload_t *this)
+{
+ /* all proposals are getting destroyed */
+ while (this->payloads->get_count(this->payloads) > 0)
+ {
+ payload_t *current_payload;
+ this->payloads->remove_last(this->payloads,(void **)¤t_payload);
+ current_payload->destroy(current_payload);
+ }
+ this->payloads->destroy(this->payloads);
+ charon->logger_manager->destroy_logger(charon->logger_manager, this->logger);
+ allocator_free(this->encrypted.ptr);
+ allocator_free(this->decrypted.ptr);
+ allocator_free(this);
+}
+
/*
* Described in header
*/
this->compute_length = compute_length;
this->generate = generate;
this->parse = parse;
+ this->logger = charon->logger_manager->create_logger(charon->logger_manager, ENCRYPTION_PAYLOAD, NULL);
/* set default values of the fields */
this->critical = TRUE;
static status_t verify(private_ts_payload_t *this)
{
iterator_t *iterator;
- status_t status;
+ status_t status = FAILED;
if (this->critical)
{
}
iterator = this->traffic_selectors->create_iterator(this->traffic_selectors,TRUE);
-
while(iterator->has_next(iterator))
{
payload_t *current_traffic_selector;
break;
}
}
-
iterator->destroy(iterator);
-
return status;
}
return this->signer_initiator;
}
+/**
+ * Implementation of protected_ike_sa_t.get_crypter_responder.
+ */
+static crypter_t *get_crypter_responder(private_ike_sa_t *this)
+{
+ return this->crypter_responder;
+}
+
+/**
+ * Implementation of protected_ike_sa_t.get_signer_responder.
+ */
+static signer_t *get_signer_responder (private_ike_sa_t *this)
+{
+ return this->signer_responder;
+}
+
+
/**
* Implementation of protected_ike_sa_t.set_last_requested_message.
*/
this->protected.set_new_state = (void (*) (protected_ike_sa_t *,state_t *)) set_new_state;
this->protected.get_crypter_initiator = (crypter_t *(*) (protected_ike_sa_t *)) get_crypter_initiator;
this->protected.get_signer_initiator = (signer_t *(*) (protected_ike_sa_t *)) get_signer_initiator;
+ this->protected.get_crypter_responder = (crypter_t *(*) (protected_ike_sa_t *)) get_crypter_responder;
+ this->protected.get_signer_responder = (signer_t *(*) (protected_ike_sa_t *)) get_signer_responder;
this->protected.reset_message_buffers = (void (*) (protected_ike_sa_t *)) reset_message_buffers;
/* private functions */
* @return pointer to signer_t object
*/
signer_t *(*get_signer_initiator) (protected_ike_sa_t *this);
+
+ /**
+ * Gets the internal stored responder crypter_t object.
+ *
+ * @param this calling object
+ * @return pointer to crypter_t object
+ */
+ crypter_t *(*get_crypter_responder) (protected_ike_sa_t *this);
+
+ /**
+ * Gets the internal stored responder signer object.
+ *
+ * @param this calling object
+ * @return pointer to signer_t object
+ */
+ signer_t *(*get_signer_responder) (protected_ike_sa_t *this);
/**
* Resets message id counters and does destroy stored received and sent messages.
#include "ike_auth_requested.h"
+#include <daemon.h>
#include <utils/allocator.h>
-
+#include <encoding/payloads/ts_payload.h>
+#include <encoding/payloads/sa_payload.h>
+#include <encoding/payloads/id_payload.h>
+#include <encoding/payloads/auth_payload.h>
+#include <transforms/signers/signer.h>
+#include <transforms/crypters/crypter.h>
+#include <sa/states/ike_sa_established.h>
typedef struct private_ike_auth_requested_t private_ike_auth_requested_t;
* Assigned IKE_SA
*/
protected_ike_sa_t *ike_sa;
+
+ /**
+ * SA config, just a copy of the one stored in the ike_sa
+ */
+ sa_config_t *sa_config;
+
+ /**
+ * Logger used to log data
+ *
+ * Is logger of ike_sa!
+ */
+ logger_t *logger;
+
+ status_t (*process_idr_payload) (private_ike_auth_requested_t *this, id_payload_t *idr_payload);
+ status_t (*process_sa_payload) (private_ike_auth_requested_t *this, sa_payload_t *sa_payload);
+ status_t (*process_auth_payload) (private_ike_auth_requested_t *this, auth_payload_t *auth_payload);
+ status_t (*process_ts_payload) (private_ike_auth_requested_t *this, bool ts_initiator, ts_payload_t *ts_payload);
+
};
+
/**
- * Implements state_t.get_state
+ * Implements state_t.process_message
+ */
+static status_t process_message(private_ike_auth_requested_t *this, message_t *request)
+{
+ status_t status;
+ signer_t *signer;
+ crypter_t *crypter;
+ iterator_t *payloads;
+ exchange_type_t exchange_type;
+ id_payload_t *idr_payload;
+ auth_payload_t *auth_payload;
+ sa_payload_t *sa_payload;
+ ts_payload_t *tsi_payload, *tsr_payload;
+
+ return SUCCESS;
+
+ exchange_type = request->get_exchange_type(request);
+ if (exchange_type != IKE_AUTH)
+ {
+ this->logger->log(this->logger, ERROR | MORE, "Message of type %s not supported in state ike_auth_requested",
+ mapping_find(exchange_type_m,exchange_type));
+ return FAILED;
+ }
+
+ if (request->get_request(request))
+ {
+ this->logger->log(this->logger, ERROR | MORE, "Only responses of type IKE_AUTH supported in state ike_auth_requested");
+ return FAILED;
+ }
+
+ /* get signer for verification and crypter for decryption */
+ signer = this->ike_sa->get_signer_responder(this->ike_sa);
+ crypter = this->ike_sa->get_crypter_responder(this->ike_sa);
+
+ /* parse incoming message */
+ status = request->parse_body(request, crypter, signer);
+ if (status != SUCCESS)
+ {
+ this->logger->log(this->logger, ERROR | MORE, "Could not parse body of request message");
+ return status;
+ }
+
+ this->sa_config = this->ike_sa->get_sa_config(this->ike_sa);
+
+ /* iterate over incoming payloads. Message is verified, we can be sure there are the required payloads */
+ payloads = request->get_payload_iterator(request);
+ while (payloads->has_next(payloads))
+ {
+ payload_t *payload;
+ payloads->current(payloads, (void**)&payload);
+
+ switch (payload->get_type(payload))
+ {
+ case AUTHENTICATION:
+ {
+ auth_payload = (auth_payload_t*)payload;
+ break;
+ }
+ case ID_RESPONDER:
+ {
+ idr_payload = (id_payload_t*)payload;
+ break;
+ }
+ case SECURITY_ASSOCIATION:
+ {
+ sa_payload = (sa_payload_t*)payload;
+ break;
+ }
+ case CERTIFICATE:
+ {
+ /* TODO handle cert payloads */
+ break;
+ }
+ case TRAFFIC_SELECTOR_INITIATOR:
+ {
+ tsi_payload = (ts_payload_t*)payload;
+ break;
+ }
+ case TRAFFIC_SELECTOR_RESPONDER:
+ {
+ tsr_payload = (ts_payload_t*)payload;
+ break;
+ }
+ default:
+ {
+ /* can't happen, since message is verified, notify's? */
+ break;
+ }
+ }
+ }
+ /* iterator can be destroyed */
+ payloads->destroy(payloads);
+
+
+ /* add payloads to it */
+ status = this->process_idr_payload(this, idr_payload);
+ if (status != SUCCESS)
+ {
+ this->logger->log(this->logger, ERROR, "Processing idr payload failed");
+ return status;
+ }
+ status = this->process_sa_payload(this, sa_payload);
+ if (status != SUCCESS)
+ {
+ this->logger->log(this->logger, ERROR, "Processing sa payload failed");
+ return status;
+ }
+ status = this->process_auth_payload(this, auth_payload);
+ if (status != SUCCESS)
+ {
+ this->logger->log(this->logger, ERROR, "Processing auth payload failed");
+ return status;
+ }
+ status = this->process_ts_payload(this, TRUE, tsi_payload);
+ if (status != SUCCESS)
+ {
+ this->logger->log(this->logger, ERROR, "Processing tsi payload failed");
+ return status;
+ }
+ status = this->process_ts_payload(this, FALSE, tsr_payload);
+ if (status != SUCCESS)
+ {
+ this->logger->log(this->logger, ERROR, "Processing tsr payload failed");
+ return status;
+ }
+
+ this->logger->log(this->logger, CONTROL | MORE, "IKE_AUTH response successfully handled. IKE_SA established.");
+
+ /* create new state */
+ this->ike_sa->set_new_state(this->ike_sa, (state_t*)ike_sa_established_create(this->ike_sa));
+
+ return SUCCESS;
+}
+
+/**
+ * Implements private_ike_auth_requested_t.build_idr_payload
*/
-static status_t process_message(private_ike_auth_requested_t *this, message_t *message)
+static status_t process_idr_payload(private_ike_auth_requested_t *this, id_payload_t *idr_payload)
{
+ identification_t *other_id, *configured_other_id;
+
+ other_id = idr_payload->get_identification(idr_payload);
+
+ configured_other_id = this->sa_config->get_other_id(this->sa_config);
+ if (configured_other_id)
+ {
+ if (!other_id->equals(other_id, configured_other_id))
+ {
+ this->logger->log(this->logger, ERROR, "IKE_AUTH reply didn't contain requested id");
+ return FAILED;
+ }
+ }
+
+ /* TODO do we have to store other_id somewhere ? */
+ return SUCCESS;
+}
+
+/**
+ * Implements private_ike_auth_requested_t.build_sa_payload
+ */
+static status_t process_sa_payload(private_ike_auth_requested_t *this, sa_payload_t *sa_payload)
+{
+ child_proposal_t *proposals, *proposal_chosen;
+ size_t proposal_count;
+ status_t status;
+
+ /* dummy spis, until we have a child sa to request them */
+ u_int8_t ah_spi[4] = {0x01, 0x02, 0x03, 0x04};
+ u_int8_t esp_spi[4] = {0x05, 0x06, 0x07, 0x08};
+
+ /* check selected proposal */
+ status = sa_payload->get_child_proposals(sa_payload, &proposals, &proposal_count);
+ if (status != SUCCESS)
+ {
+ this->logger->log(this->logger, ERROR, "responders sa payload contained no proposals");
+ return FAILED;
+ }
+ if (proposal_count > 1)
+ {
+ allocator_free(proposals);
+ this->logger->log(this->logger, ERROR, "responders sa payload contained more than one proposal");
+ return FAILED;
+ }
+
+ proposal_chosen = this->sa_config->select_proposal(this->sa_config, ah_spi, esp_spi, proposals, proposal_count);
+ if (proposal_chosen == NULL)
+ {
+ this->logger->log(this->logger, ERROR, "responder selected an not offered proposal");
+ allocator_free(proposals);
+ return FAILED;
+ }
+ else
+ {
+ allocator_free(proposal_chosen);
+ }
+
+ allocator_free(proposals);
+
return SUCCESS;
}
+/**
+ * Implements private_ike_auth_requested_t.build_auth_payload
+ */
+static status_t process_auth_payload(private_ike_auth_requested_t *this, auth_payload_t *auth_payload)
+{
+ /* TODO VERIFY auth here */
+ return SUCCESS;
+}
+
+/**
+ * Implements private_ike_auth_requested_t.build_ts_payload
+ */
+static status_t process_ts_payload(private_ike_auth_requested_t *this, bool ts_initiator, ts_payload_t *ts_payload)
+{
+ traffic_selector_t **ts_received, **ts_selected;
+ size_t ts_received_count, ts_selected_count;
+ status_t status = SUCCESS;
+
+ /* get ts form payload */
+ ts_received_count = ts_payload->get_traffic_selectors(ts_payload, &ts_received);
+ /* select ts depending on payload type */
+ if (ts_initiator)
+ {
+ ts_selected_count = this->sa_config->select_traffic_selectors_initiator(this->sa_config, ts_received, ts_received_count, &ts_selected);
+ }
+ else
+ {
+ ts_selected_count = this->sa_config->select_traffic_selectors_responder(this->sa_config, ts_received, ts_received_count, &ts_selected);
+ }
+ /* check if the responder selected valid proposals */
+ if (ts_selected_count != ts_received_count)
+ {
+ this->logger->log(this->logger, ERROR, "responder selected invalid traffic selectors");
+ status = FAILED;
+ }
+
+ /* cleanup */
+ while(ts_received_count--)
+ {
+ traffic_selector_t *ts = *ts_received + ts_received_count;
+ ts->destroy(ts);
+ }
+ allocator_free(ts_received);
+ while(ts_selected_count--)
+ {
+ traffic_selector_t *ts = *ts_selected + ts_selected_count;
+ ts->destroy(ts);
+ }
+ allocator_free(ts_selected);
+ return status;
+}
/**
* Implements state_t.get_state
*/
this->public.state_interface.get_state = (ike_sa_state_t (*) (state_t *)) get_state;
this->public.state_interface.destroy = (void (*) (state_t *)) destroy;
+ /* private functions */
+
+ this->process_idr_payload = process_idr_payload;
+ this->process_sa_payload = process_sa_payload;
+ this->process_auth_payload = process_auth_payload;
+ this->process_ts_payload = process_ts_payload;
+
/* private data */
this->ike_sa = ike_sa;
this->sent_nonce = sent_nonce;
sa_config = this->ike_sa->get_sa_config(this->ike_sa);
traffic_selectors_count = sa_config->get_traffic_selectors_initiator(sa_config,&traffic_selectors);
+ printf("traffic_selectors: %d\n", traffic_selectors_count);
ts_payload = ts_payload_create_from_traffic_selectors(TRUE,traffic_selectors, traffic_selectors_count);
+
allocator_free(traffic_selectors);
*payload = (payload_t *) ts_payload;
#include <encoding/payloads/auth_payload.h>
#include <transforms/signers/signer.h>
#include <transforms/crypters/crypter.h>
+#include <sa/states/ike_sa_established.h>
typedef struct private_ike_sa_init_responded_t private_ike_sa_init_responded_t;
ike_sa_init_responded_t public;
/**
- * Shared secret from DH-Exchange
- *
- * All needed secrets are derived from this shared secret and then passed to the next
- * state of type ike_sa_established_t
- */
- chunk_t shared_secret;
-
- /**
- * Sent nonce used to calculate secrets
- */
- chunk_t received_nonce;
-
- /**
- * Sent nonce used to calculate secrets
+ * Assigned IKE_SA
*/
- chunk_t sent_nonce;
+ protected_ike_sa_t *ike_sa;
/**
- * Assigned IKE_SA
+ * sa config to use
*/
- protected_ike_sa_t *ike_sa;
+ sa_config_t *sa_config;
/**
* Logger used to log data
* Is logger of ike_sa!
*/
logger_t *logger;
+
+ status_t (*build_idr_payload) (private_ike_sa_init_responded_t *this, id_payload_t *request_idi, id_payload_t *request_idr, message_t *response);
+ status_t (*build_sa_payload) (private_ike_sa_init_responded_t *this, sa_payload_t *request, message_t *response);
+ status_t (*build_auth_payload) (private_ike_sa_init_responded_t *this, auth_payload_t *request, message_t *response);
+ status_t (*build_ts_payload) (private_ike_sa_init_responded_t *this, bool ts_initiator, ts_payload_t *request, message_t *response);
};
/**
* Implements state_t.get_state
*/
-static status_t process_message(private_ike_sa_init_responded_t *this, message_t *message)
+static status_t process_message(private_ike_sa_init_responded_t *this, message_t *request)
{
status_t status;
signer_t *signer;
crypter_t *crypter;
iterator_t *payloads;
exchange_type_t exchange_type;
- id_payload_t *idi_payload, *idr_payload;
- auth_payload_t *auth_payload;
- sa_payload_t *sa_payload;
- ts_payload_t *tsi_payload, *tsr_payload;
+ id_payload_t *idi_request, *idr_request = NULL;
+ auth_payload_t *auth_request;
+ sa_payload_t *sa_request;
+ ts_payload_t *tsi_request, *tsr_request;
+ message_t *response;
+ packet_t *response_packet;
- exchange_type = message->get_exchange_type(message);
+ exchange_type = request->get_exchange_type(request);
if (exchange_type != IKE_AUTH)
{
this->logger->log(this->logger, ERROR | MORE, "Message of type %s not supported in state ike_sa_init_responded",
return FAILED;
}
- if (!message->get_request(message))
+ if (!request->get_request(request))
{
this->logger->log(this->logger, ERROR | MORE, "Only requests of type IKE_AUTH supported in state ike_sa_init_responded");
return FAILED;
/* parse incoming message */
- status = message->parse_body(message, crypter, signer);
+ status = request->parse_body(request, crypter, signer);
if (status != SUCCESS)
{
this->logger->log(this->logger, ERROR | MORE, "Could not parse body of request message");
}
/* iterate over incoming payloads. Message is verified, we can be sure there are the required payloads */
- payloads = message->get_payload_iterator(message);
+ payloads = request->get_payload_iterator(request);
while (payloads->has_next(payloads))
{
payload_t *payload;
{
case ID_INITIATOR:
{
- idi_payload = (id_payload_t*)payload;
+ idi_request = (id_payload_t*)payload;
break;
}
case AUTHENTICATION:
{
- auth_payload = (auth_payload_t*)payload;
+ auth_request = (auth_payload_t*)payload;
break;
}
case ID_RESPONDER:
{
- /* TODO handle idr payloads */
+ idr_request = (id_payload_t*)payload;
break;
}
case SECURITY_ASSOCIATION:
{
- sa_payload = (sa_payload_t*)payload;
+ sa_request = (sa_payload_t*)payload;
break;
}
case CERTIFICATE:
}
case TRAFFIC_SELECTOR_INITIATOR:
{
- tsi_payload = (ts_payload_t*)payload;
+ tsi_request = (ts_payload_t*)payload;
break;
}
case TRAFFIC_SELECTOR_RESPONDER:
{
- tsr_payload = (ts_payload_t*)payload;
+ tsr_request = (ts_payload_t*)payload;
break;
}
default:
{
- /* can't happen, since message is verified */
+ /* can't happen, since message is verified, notify's? */
break;
}
}
/* iterator can be destroyed */
payloads->destroy(payloads);
+ /* build response */
+ this->ike_sa->build_message(this->ike_sa, IKE_AUTH, FALSE, &response);
- /*
- * ID Payload
- */
- this->logger->log(this->logger, CONTROL|MOST, "type of IDi is %s",
- mapping_find(id_type_m, idi_payload->get_id_type(idi_payload)));
- chunk_t data = idi_payload->get_data(idi_payload);
-
- this->logger->log(this->logger, CONTROL|MOST, "data of IDi is %s",
- data.ptr);
-
-// charon->configuration_manager->get_my_default_id(charon->configuration_manager, id
-//
-//
-//
-//
-// this->logger->log(this->logger, CONTROL|MOST, "type of AUTH is %s",
-// mapping_find(auth_method_m, auth_payload->get_auth_method(auth_payload)));
-//
-// /* get the list of suggested proposals */
-// suggested_proposals = sa_payload->create_proposal_substructure_iterator(sa_payload, TRUE);
-//
-// /* now let the configuration-manager select a subset of the proposals */
-// status = charon->configuration_manager->select_proposals_for_host(charon->configuration_manager,
-// this->ike_sa->get_other_host(this->ike_sa), suggested_proposals, accepted_proposals);
-//
-
-// iterator = tsi_payload->create_traffic_selector_substructure_iterator(tsi_payload, TRUE);
-// while (iterator->has_next(iterator))
-// {
-// traffic_selector_substructure_t *ts;
-// iterator->current(iterator, (void**)ts);
-// this->logger->log(this->logger, CONTROL|MOST, "type of TSi is %s",
-// mapping_find(ts_type_m, ts->get_ts_type(ts)));
-//
-// }
-// iterator->destroy(iterator);
-//
-// iterator = tsr_payload->create_traffic_selector_substructure_iterator(tsr_payload, TRUE);
-// while (iterator->has_next(iterator))
-// {
-// traffic_selector_substructure_t *ts;
-// iterator->current(iterator, (void**)ts);
-// this->logger->log(this->logger, CONTROL|MOST, "type of TSr is %s",
-// mapping_find(ts_type_m, ts->get_ts_type(ts)));
-//
-// }
-// iterator->destroy(iterator);
-
-
-
- this->logger->log(this->logger, CONTROL | MORE, "Request successfully handled. Going to create reply.");
+ /* add payloads to it */
+ status = this->build_idr_payload(this, idi_request, idr_request, response);
+ if (status != SUCCESS)
+ {
+ this->logger->log(this->logger, ERROR, "Building idr payload failed");
+ response->destroy(response);
+ return status;
+ }
+ status = this->build_sa_payload(this, sa_request, response);
+ if (status != SUCCESS)
+ {
+ this->logger->log(this->logger, ERROR, "Building sa payload failed");
+ response->destroy(response);
+ return status;
+ }
+ status = this->build_auth_payload(this, auth_request, response);
+ if (status != SUCCESS)
+ {
+ this->logger->log(this->logger, ERROR, "Building auth payload failed");
+ response->destroy(response);
+ return status;
+ }
+ status = this->build_ts_payload(this, TRUE, tsi_request, response);
+ if (status != SUCCESS)
+ {
+ this->logger->log(this->logger, ERROR, "Building tsi payload failed");
+ response->destroy(response);
+ return status;
+ }
+ status = this->build_ts_payload(this, FALSE, tsr_request, response);
+ if (status != SUCCESS)
+ {
+ this->logger->log(this->logger, ERROR, "Building tsr payload failed");
+ response->destroy(response);
+ return status;
+ }
+
+ /* generate response, get transfroms first */
+ signer = this->ike_sa->get_signer_responder(this->ike_sa);
+ crypter = this->ike_sa->get_crypter_responder(this->ike_sa);
+ status = response->generate(response, crypter, signer, &response_packet);
+ if (status != SUCCESS)
+ {
+ this->logger->log(this->logger, ERROR, "Error in message generation");
+ response->destroy(response);
+ return status;
+ }
+
+
+ /* send it out */
+ this->logger->log(this->logger, CONTROL | MORE, "IKE_AUTH request successfully handled. Sending reply.");
+ charon->send_queue->add(charon->send_queue, response_packet);
+ /* store for timeout reply */
+ this->ike_sa->set_last_responded_message(this->ike_sa, response);
+
+ /* create new state */
+ this->ike_sa->set_new_state(this->ike_sa, (state_t*)ike_sa_established_create(this->ike_sa));
+
return SUCCESS;
}
-
-static status_t build_id_payload(private_ike_sa_init_responded_t *this, id_payload_t *id_payload)
+/**
+ * Implements private_ike_sa_init_responded_t.build_idr_payload
+ */
+static status_t build_idr_payload(private_ike_sa_init_responded_t *this, id_payload_t *request_idi, id_payload_t *request_idr, message_t *response)
{
+ identification_t *other_id, *my_id = NULL;
+ init_config_t *init_config;
+ status_t status;
+ id_payload_t *idr_response;
+
+ other_id = request_idi->get_identification(request_idi);
+ if (request_idr)
+ {
+ my_id = request_idr->get_identification(request_idr);
+ }
+
+ /* build new sa config */
+ init_config = this->ike_sa->get_init_config(this->ike_sa);
+ status = charon->configuration_manager->get_sa_config_for_init_config_and_id(charon->configuration_manager,init_config, other_id,my_id, &(this->sa_config));
+ if (status != SUCCESS)
+ {
+ this->logger->log(this->logger, ERROR, "Could not find config for %s", other_id->get_string(other_id));
+ return NOT_FOUND;
+ }
+
+ /* set sa_config in ike_sa for other states */
+ this->ike_sa->set_sa_config(this->ike_sa, this->sa_config);
+
+ /* build response */
+ idr_response = id_payload_create_from_identification(FALSE, other_id);
+ response->add_payload(response, (payload_t*)idr_response);
+
+ if (my_id)
+ {
+ my_id->destroy(my_id);
+ }
+ other_id->destroy(other_id);
+
return SUCCESS;
}
+/**
+ * Implements private_ike_sa_init_responded_t.build_sa_payload
+ */
+static status_t build_sa_payload(private_ike_sa_init_responded_t *this, sa_payload_t *request, message_t *response)
+{
+ child_proposal_t *proposals, *proposal_chosen;
+ size_t proposal_count;
+ status_t status;
+ sa_payload_t *sa_response;
+
+ /* dummy spis, until we have a child sa to request them */
+ u_int8_t ah_spi[4] = {0x01, 0x02, 0x03, 0x04};
+ u_int8_t esp_spi[4] = {0x05, 0x06, 0x07, 0x08};
+
+ status = request->get_child_proposals(request, &proposals, &proposal_count);
+ if (status == SUCCESS)
+ {
+ proposal_chosen = this->sa_config->select_proposal(this->sa_config, ah_spi, esp_spi, proposals, proposal_count);
+ if (proposal_chosen != NULL)
+ {
+ sa_response = sa_payload_create_from_child_proposals(proposal_chosen, 1);
+ response->add_payload(response, (payload_t*)sa_response);
+ }
+ else
+ {
+ this->logger->log(this->logger, ERROR, "no matching proposal found");
+ status = NOT_FOUND;
+ }
+ }
+ else
+ {
+ this->logger->log(this->logger, ERROR, "requestor's sa payload contained no proposals");
+ status = NOT_FOUND;
+ }
+
+
+ allocator_free(proposal_chosen);
+ allocator_free(proposals);
+
+
+ return status;
+}
+
+/**
+ * Implements private_ike_sa_init_responded_t.build_auth_payload
+ */
+static status_t build_auth_payload(private_ike_sa_init_responded_t *this, auth_payload_t *request, message_t *response)
+{
+ auth_payload_t *dummy;
+ u_int8_t data[] = {0x01,0x03,0x01,0x03,0x01,0x03,0x01,0x03,0x01,0x03,0x01,0x03,0x01,0x03,0x01,0x03};
+ chunk_t auth_data;
+ auth_data.ptr = data;
+ auth_data.len = sizeof(data);
+
+ /* TODO VERIFY auth here */
+
+ dummy = auth_payload_create();
+ dummy->set_data(dummy, auth_data);
+ dummy->set_auth_method(dummy, RSA_DIGITAL_SIGNATURE);
+
+ /* TODO replace dummy */
+
+ response->add_payload(response, (payload_t *)dummy);
+ return SUCCESS;
+}
+
+/**
+ * Implements private_ike_sa_init_responded_t.build_ts_payload
+ */
+static status_t build_ts_payload(private_ike_sa_init_responded_t *this, bool ts_initiator, ts_payload_t *request, message_t* response)
+{
+ traffic_selector_t **ts_received, **ts_selected;
+ size_t ts_received_count, ts_selected_count;
+ status_t status = SUCCESS;
+ ts_payload_t *ts_response;
+
+ /* build a reply payload with selected traffic selectors */
+ ts_received_count = request->get_traffic_selectors(request, &ts_received);
+ /* select ts depending on payload type */
+ if (ts_initiator)
+ {
+ ts_selected_count = this->sa_config->select_traffic_selectors_initiator(this->sa_config, ts_received, ts_received_count, &ts_selected);
+ }
+ else
+ {
+ ts_selected_count = this->sa_config->select_traffic_selectors_responder(this->sa_config, ts_received, ts_received_count, &ts_selected);
+ }
+ if(ts_selected_count == 0)
+ {
+ status = NOT_FOUND;
+ }
+ else
+ {
+ ts_response = ts_payload_create_from_traffic_selectors(FALSE, ts_selected, ts_selected_count);
+ response->add_payload(response, (payload_t*)ts_response);
+ }
+
+ /* cleanup */
+ while(ts_received_count--)
+ {
+ traffic_selector_t *ts = *ts_received + ts_received_count;
+ ts->destroy(ts);
+ }
+ allocator_free(ts_received);
+ while(ts_selected_count--)
+ {
+ traffic_selector_t *ts = *ts_selected + ts_selected_count;
+ ts->destroy(ts);
+ }
+ allocator_free(ts_selected);
+ return status;
+}
+
/**
* Implements state_t.get_state
*/
{
this->logger->log(this->logger, CONTROL | MORE, "Going to destroy ike_sa_init_responded_t state object");
- this->logger->log(this->logger, CONTROL | MOST, "Destroy shared_secret");
- allocator_free(this->shared_secret.ptr);
-
- this->logger->log(this->logger, CONTROL | MOST, "Destroy sent nonce");
- allocator_free(this->sent_nonce.ptr);
-
- this->logger->log(this->logger, CONTROL | MOST, "Destroy received nonce");
- allocator_free(this->received_nonce.ptr);
+ charon->logger_manager->destroy_logger(charon->logger_manager, this->logger);
allocator_free(this);
}
/*
* Described in header.
*/
-
-ike_sa_init_responded_t *ike_sa_init_responded_create(protected_ike_sa_t *ike_sa, chunk_t shared_secret, chunk_t received_nonce, chunk_t sent_nonce)
+ike_sa_init_responded_t *ike_sa_init_responded_create(protected_ike_sa_t *ike_sa)
{
private_ike_sa_init_responded_t *this = allocator_alloc_thing(private_ike_sa_init_responded_t);
this->public.state_interface.get_state = (ike_sa_state_t (*) (state_t *)) get_state;
this->public.state_interface.destroy = (void (*) (state_t *)) destroy;
+ /* private functions */
+ this->build_idr_payload = build_idr_payload;
+ this->build_sa_payload = build_sa_payload;
+ this->build_auth_payload = build_auth_payload;
+ this->build_ts_payload = build_ts_payload;
+
/* private data */
this->ike_sa = ike_sa;
this->logger = this->ike_sa->get_logger(this->ike_sa);
- this->shared_secret = shared_secret;
- this->received_nonce = received_nonce;
- this->sent_nonce = sent_nonce;
return &(this->public);
}
*
* @ingroup states
*/
-ike_sa_init_responded_t *ike_sa_init_responded_create(protected_ike_sa_t *ike_sa, chunk_t shared_secret, chunk_t received_nonce, chunk_t sent_nonce);
+ike_sa_init_responded_t *ike_sa_init_responded_create(protected_ike_sa_t *ike_sa);
#endif /*IKE_SA_INIT_RESPONDED_H_*/
/* state can now be changed */
this->logger->log(this->logger, CONTROL|MOST, "Create next state object");
- next_state = ike_sa_init_responded_create(this->ike_sa, shared_secret, this->received_nonce, this->sent_nonce);
+ next_state = ike_sa_init_responded_create(this->ike_sa);
/* last message can now be set */
status = this->ike_sa->set_last_responded_message(this->ike_sa, response);
{TESTER, "TESTER"},
{DAEMON, "DAEMON"},
{CONFIGURATION_MANAGER, "CONFIG"},
+ {ENCRYPTION_PAYLOAD, "ENCPLD"},
};
/**
logger_level |= FULL;
case IKE_SA_MANAGER:
case MESSAGE:
+ case ENCRYPTION_PAYLOAD:
case WORKER:
logger_level |= ALL;
case PARSER:
TESTER,
DAEMON,
CONFIGURATION_MANAGER,
+ ENCRYPTION_PAYLOAD,
};
typedef struct logger_manager_t logger_manager_t;