diff options
| -rw-r--r-- | Source/charon/config/configuration_manager.c | 13 | ||||
| -rw-r--r-- | Source/charon/config/sa_config.c | 71 | ||||
| -rw-r--r-- | Source/charon/encoding/message.c | 3 | ||||
| -rw-r--r-- | Source/charon/encoding/payloads/encryption_payload.c | 79 | ||||
| -rw-r--r-- | Source/charon/encoding/payloads/ts_payload.c | 5 | ||||
| -rw-r--r-- | Source/charon/sa/ike_sa.c | 19 | ||||
| -rw-r--r-- | Source/charon/sa/ike_sa.h | 16 | ||||
| -rw-r--r-- | Source/charon/sa/states/ike_auth_requested.c | 284 | ||||
| -rw-r--r-- | Source/charon/sa/states/ike_sa_init_requested.c | 2 | ||||
| -rw-r--r-- | Source/charon/sa/states/ike_sa_init_responded.c | 345 | ||||
| -rw-r--r-- | Source/charon/sa/states/ike_sa_init_responded.h | 2 | ||||
| -rw-r--r-- | Source/charon/sa/states/responder_init.c | 2 | ||||
| -rw-r--r-- | Source/charon/utils/logger_manager.c | 2 | ||||
| -rw-r--r-- | Source/charon/utils/logger_manager.h | 1 |
14 files changed, 701 insertions, 143 deletions
diff --git a/Source/charon/config/configuration_manager.c b/Source/charon/config/configuration_manager.c index 73e5aab9a..f3c3cd4cc 100644 --- a/Source/charon/config/configuration_manager.c +++ b/Source/charon/config/configuration_manager.c @@ -152,7 +152,7 @@ static void load_default_config (private_configuration_manager_t *this) init_config_t *init_config1, *init_config2, *init_config3; ike_proposal_t proposals[2]; child_proposal_t child_proposals[1]; - sa_config_t *sa_config1, *sa_config2; + sa_config_t *sa_config1, *sa_config2, *sa_config3; traffic_selector_t *ts; init_config1 = init_config_create("152.96.193.131","152.96.193.131",IKEV2_UDP_PORT,IKEV2_UDP_PORT); @@ -195,6 +195,13 @@ static void load_default_config (private_configuration_manager_t *this) sa_config2->add_traffic_selector_initiator(sa_config2,ts); sa_config2->add_traffic_selector_responder(sa_config2,ts); + + sa_config3 = sa_config_create(ID_IPV4_ADDR, "127.0.0.1", + ID_IPV4_ADDR, "127.0.0.1", + SHARED_KEY_MESSAGE_INTEGRITY_CODE); + + sa_config3->add_traffic_selector_initiator(sa_config3,ts); + sa_config3->add_traffic_selector_responder(sa_config3,ts); ts->destroy(ts); @@ -210,6 +217,7 @@ static void load_default_config (private_configuration_manager_t *this) child_proposals[0].esp.encryption_algorithm = ENCR_AES_CBC; child_proposals[0].esp.encryption_algorithm_key_size = 16; child_proposals[0].esp.integrity_algorithm = AUTH_UNDEFINED; + child_proposals[0].esp.extended_sequence_numbers = NO_EXT_SEQ_NUMBERS; child_proposals[0].esp.spi[0] = 2; child_proposals[0].esp.spi[1] = 2; child_proposals[0].esp.spi[2] = 2; @@ -217,10 +225,11 @@ static void load_default_config (private_configuration_manager_t *this) sa_config1->add_proposal(sa_config1, &child_proposals[0]); sa_config2->add_proposal(sa_config2, &child_proposals[0]); + sa_config3->add_proposal(sa_config3, &child_proposals[0]); this->add_new_configuration(this,"pinflb31",init_config1,sa_config2); this->add_new_configuration(this,"pinflb30",init_config2,sa_config1); - this->add_new_configuration(this,"localhost",init_config3,sa_config1); + this->add_new_configuration(this,"localhost",init_config3,sa_config3); } diff --git a/Source/charon/config/sa_config.c b/Source/charon/config/sa_config.c index 2d91f7bbe..623f8be87 100644 --- a/Source/charon/config/sa_config.c +++ b/Source/charon/config/sa_config.c @@ -260,31 +260,74 @@ static child_proposal_t *select_proposal(private_sa_config_t *this, u_int8_t ah_ */ static bool proposal_equals(private_sa_config_t *this, child_proposal_t *first, child_proposal_t *second) { + /* + * Proto ? Mandatory ? Optional + * ----------------------------------- + * ESP ? ENCR ? INTEG, D-H, ESN + * AH ? INTEG ? D-H, ESN + */ + + /* equality defaults to false, so return is FALSE if ah and esp not set */ bool equal = FALSE; + /* check ah, if set */ if (first->ah.is_set && second->ah.is_set) { - if ((first->ah.integrity_algorithm != second->ah.integrity_algorithm) || - (first->ah.integrity_algorithm_key_size != second->ah.integrity_algorithm_key_size) || - (first->ah.diffie_hellman_group != second->ah.diffie_hellman_group) || - (first->ah.extended_sequence_numbers != second->ah.extended_sequence_numbers)) + /* integrity alg is mandatory, with key size */ + if ((first->ah.integrity_algorithm == second->ah.integrity_algorithm) && + (first->ah.integrity_algorithm_key_size == second->ah.integrity_algorithm_key_size)) { - return FALSE; + /* dh group is optional, but must be NOT_SET when not set */ + if (first->ah.diffie_hellman_group != second->ah.diffie_hellman_group) + { + return FALSE; + } + /* sequence numbers is optional, but must be NOT_SET when not set */ + if (first->ah.extended_sequence_numbers != second->ah.extended_sequence_numbers) + { + return FALSE; + } + /* all checked, ah seems ok */ + equal = TRUE; + } + else + { + return FALSE; } - equal = TRUE; } + /* check esp, if set */ if (first->esp.is_set && second->esp.is_set) { - if ((first->esp.encryption_algorithm != second->esp.encryption_algorithm) || - (first->esp.encryption_algorithm_key_size != second->esp.encryption_algorithm_key_size) || - (first->esp.integrity_algorithm != second->esp.integrity_algorithm) || - (first->esp.integrity_algorithm_key_size != second->esp.integrity_algorithm_key_size) || - (first->esp.diffie_hellman_group != second->esp.diffie_hellman_group) || - (first->esp.extended_sequence_numbers != second->esp.extended_sequence_numbers)) + /* encryption alg is mandatory, with key size */ + if ((first->esp.encryption_algorithm == second->esp.encryption_algorithm) && + (first->esp.encryption_algorithm_key_size == second->esp.encryption_algorithm_key_size)) + { + /* int alg is optional, check key only when not NOT_SET */ + if (first->esp.integrity_algorithm != second->esp.integrity_algorithm) + { + return FALSE; + } + if ((first->esp.integrity_algorithm != AUTH_UNDEFINED) && + (first->esp.integrity_algorithm_key_size != second->esp.integrity_algorithm_key_size)) + { + return FALSE; + } + /* dh group is optional, but must be NOT_SET when not set */ + if (first->esp.diffie_hellman_group != second->esp.diffie_hellman_group) + { + return FALSE; + } + if (first->esp.extended_sequence_numbers != second->esp.extended_sequence_numbers) + { + return FALSE; + } + /* all checked, esp seems ok */ + equal = TRUE; + } + else { - return FALSE; + return FALSE; } - equal = TRUE; } return equal; } diff --git a/Source/charon/encoding/message.c b/Source/charon/encoding/message.c index bf33c5067..bcc34ca96 100644 --- a/Source/charon/encoding/message.c +++ b/Source/charon/encoding/message.c @@ -895,7 +895,8 @@ static status_t decrypt_and_verify_payloads (private_message_t *this,crypter_t * status = encryption_payload->decrypt(encryption_payload); if (status != SUCCESS) { - this->logger->log(this->logger, ERROR | MORE, "Encrypted payload could not be decrypted and parsed"); + this->logger->log(this->logger, ERROR | MORE, "Encrypted payload could not be decrypted and parsed: %s", + mapping_find(status_m, status)); iterator->destroy(iterator); return status; } diff --git a/Source/charon/encoding/payloads/encryption_payload.c b/Source/charon/encoding/payloads/encryption_payload.c index 70bdcc9b2..7ea290404 100644 --- a/Source/charon/encoding/payloads/encryption_payload.c +++ b/Source/charon/encoding/payloads/encryption_payload.c @@ -25,9 +25,11 @@ #include "encryption_payload.h" +#include <daemon.h> #include <encoding/payloads/encodings.h> #include <utils/allocator.h> #include <utils/linked_list.h> +#include <utils/logger.h> #include <encoding/generator.h> #include <encoding/parser.h> #include <utils/iterator.h> @@ -93,6 +95,11 @@ struct private_encryption_payload_t { */ linked_list_t *payloads; + /** + * logger for this payload, uses MESSAGE context + */ + logger_t *logger; + /** * @brief Computes the length of this payload. * @@ -106,6 +113,12 @@ struct private_encryption_payload_t { * @param this calling private_encryption_payload_t object */ void (*generate) (private_encryption_payload_t *this); + + /** + * @brief Parse payloads from a (unencrypted) chunk. + * + * @param this calling private_encryption_payload_t object + */ status_t (*parse) (private_encryption_payload_t *this); }; @@ -163,24 +176,6 @@ static status_t verify(private_encryption_payload_t *this) } /** - * Implementation of payload_t.destroy. - */ -static void destroy(private_encryption_payload_t *this) -{ - /* all proposals are getting destroyed */ - while (this->payloads->get_count(this->payloads) > 0) - { - payload_t *current_payload; - this->payloads->remove_last(this->payloads,(void **)¤t_payload); - current_payload->destroy(current_payload); - } - this->payloads->destroy(this->payloads); - allocator_free(this->encrypted.ptr); - allocator_free(this->decrypted.ptr); - allocator_free(this); -} - -/** * Implementation of payload_t.get_encoding_rules. */ static void get_encoding_rules(private_encryption_payload_t *this, encoding_rule_t **rules, size_t *rule_count) @@ -281,15 +276,19 @@ static status_t encrypt(private_encryption_payload_t *this) if (this->signer == NULL || this->crypter == NULL) { + this->logger->log(this->logger, ERROR, "could not encrypt, signer/crypter not set"); return INVALID_STATE; } /* for random data in iv and padding */ randomizer = randomizer_create(); + /* build payload chunk */ this->generate(this); + this->logger->log(this->logger, CONTROL|MOST, "encrypting payloads"); + /* build padding */ block_size = this->crypter->get_block_size(this->crypter); padding.len = block_size - ((this->decrypted.len + 1) % block_size); @@ -315,6 +314,7 @@ static status_t encrypt(private_encryption_payload_t *this) allocator_free(to_crypt.ptr); if (status != SUCCESS) { + this->logger->log(this->logger, ERROR, "encryption failed"); allocator_free(iv.ptr); return status; } @@ -342,8 +342,12 @@ static status_t decrypt(private_encryption_payload_t *this) u_int8_t padding_length; status_t status; + + this->logger->log(this->logger, CONTROL|MOST, "decrypting encryption payload"); + if (this->signer == NULL || this->crypter == NULL) { + this->logger->log(this->logger, ERROR, "could not decrypt, no crypter/signer set"); return INVALID_STATE; } @@ -360,6 +364,7 @@ static status_t decrypt(private_encryption_payload_t *this) */ if (concatenated.len < iv.len) { + this->logger->log(this->logger, ERROR, "could not decrypt, invalid input"); return FAILED; } @@ -369,6 +374,7 @@ static status_t decrypt(private_encryption_payload_t *this) status = this->crypter->decrypt(this->crypter, concatenated, iv, &(this->decrypted)); if (status != SUCCESS) { + this->logger->log(this->logger, ERROR, "could not decrypt, decryption failed"); return FAILED; } @@ -381,6 +387,7 @@ static status_t decrypt(private_encryption_payload_t *this) /* check size again */ if (padding_length > concatenated.len || this->decrypted.len < 0) { + this->logger->log(this->logger, ERROR, "decryption failed, invalid padding length found. Invalid key ?"); /* decryption failed :-/ */ return FAILED; } @@ -388,6 +395,7 @@ static status_t decrypt(private_encryption_payload_t *this) /* free padding */ this->decrypted.ptr = allocator_realloc(this->decrypted.ptr, this->decrypted.len); + this->logger->log(this->logger, CONTROL|MOST, "decryption successful, trying to parse content"); return (this->parse(this)); } @@ -410,12 +418,14 @@ static status_t build_signature(private_encryption_payload_t *this, chunk_t data if (this->signer == NULL) { + this->logger->log(this->logger, ERROR, "unable to build signature, no signer set"); return INVALID_STATE; } sig.len = this->signer->get_block_size(this->signer); data_without_sig.len -= sig.len; sig.ptr = data.ptr + data_without_sig.len; + this->logger->log(this->logger, CONTROL|MOST, "building signature"); this->signer->get_signature(this->signer, data_without_sig, sig.ptr); return SUCCESS; } @@ -430,12 +440,14 @@ static status_t verify_signature(private_encryption_payload_t *this, chunk_t dat if (this->signer == NULL) { + this->logger->log(this->logger, ERROR, "unable to verify signature, no signer set"); return INVALID_STATE; } /* find signature in data chunk */ sig.len = this->signer->get_block_size(this->signer); if (data.len <= sig.len) { + this->logger->log(this->logger, ERROR|MORE, "unable to verify signature, invalid input"); return FAILED; } sig.ptr = data.ptr + data.len - sig.len; @@ -447,9 +459,11 @@ static status_t verify_signature(private_encryption_payload_t *this, chunk_t dat if (!valid) { + this->logger->log(this->logger, ERROR|MORE, "signature verification failed"); return FAILED; } + this->logger->log(this->logger, CONTROL|MOST, "signature verification successful"); return SUCCESS; } @@ -477,6 +491,7 @@ static void generate(private_encryption_payload_t *this) else { /* no paylads? */ + this->logger->log(this->logger, CONTROL|MOST, "generating contained payloads, but no available"); allocator_free(this->decrypted.ptr); this->decrypted = CHUNK_INITIALIZER; iterator->destroy(iterator); @@ -504,6 +519,7 @@ static void generate(private_encryption_payload_t *this) generator->write_to_chunk(generator, &(this->decrypted)); generator->destroy(generator); + this->logger->log(this->logger, CONTROL|MOST, "successfully generated content in encrpytion payload"); } /** @@ -518,6 +534,7 @@ static status_t parse(private_encryption_payload_t *this) /* check if there is decrypted data */ if (this->decrypted.ptr == NULL) { + this->logger->log(this->logger, ERROR, "unable to parse, no input!"); return INVALID_STATE; } @@ -541,6 +558,10 @@ static status_t parse(private_encryption_payload_t *this) status = current_payload->verify(current_payload); if (status != SUCCESS) { + + this->logger->log(this->logger, ERROR, "%s verification failed: %s", + mapping_find(payload_type_m,current_payload->get_type(current_payload)), + mapping_find(status_m, status)); current_payload->destroy(current_payload); parser->destroy(parser); return VERIFY_ERROR; @@ -552,6 +573,7 @@ static status_t parse(private_encryption_payload_t *this) this->payloads->insert_last(this->payloads,current_payload); } parser->destroy(parser); + this->logger->log(this->logger, CONTROL|MOST, "succesfully parsed content of encryption payload"); return SUCCESS; } @@ -589,6 +611,26 @@ static void compute_length(private_encryption_payload_t *this) this->payload_length = length; } + +/** + * Implementation of payload_t.destroy. + */ +static void destroy(private_encryption_payload_t *this) +{ + /* all proposals are getting destroyed */ + while (this->payloads->get_count(this->payloads) > 0) + { + payload_t *current_payload; + this->payloads->remove_last(this->payloads,(void **)¤t_payload); + current_payload->destroy(current_payload); + } + this->payloads->destroy(this->payloads); + charon->logger_manager->destroy_logger(charon->logger_manager, this->logger); + allocator_free(this->encrypted.ptr); + allocator_free(this->decrypted.ptr); + allocator_free(this); +} + /* * Described in header */ @@ -622,6 +664,7 @@ encryption_payload_t *encryption_payload_create() this->compute_length = compute_length; this->generate = generate; this->parse = parse; + this->logger = charon->logger_manager->create_logger(charon->logger_manager, ENCRYPTION_PAYLOAD, NULL); /* set default values of the fields */ this->critical = TRUE; diff --git a/Source/charon/encoding/payloads/ts_payload.c b/Source/charon/encoding/payloads/ts_payload.c index 2ca5bc8cb..d9e17c680 100644 --- a/Source/charon/encoding/payloads/ts_payload.c +++ b/Source/charon/encoding/payloads/ts_payload.c @@ -128,7 +128,7 @@ encoding_rule_t ts_payload_encodings[] = { static status_t verify(private_ts_payload_t *this) { iterator_t *iterator; - status_t status; + status_t status = FAILED; if (this->critical) { @@ -142,7 +142,6 @@ static status_t verify(private_ts_payload_t *this) } iterator = this->traffic_selectors->create_iterator(this->traffic_selectors,TRUE); - while(iterator->has_next(iterator)) { payload_t *current_traffic_selector; @@ -154,10 +153,8 @@ static status_t verify(private_ts_payload_t *this) break; } } - iterator->destroy(iterator); - return status; } diff --git a/Source/charon/sa/ike_sa.c b/Source/charon/sa/ike_sa.c index 9acd8914a..36ed8ee9a 100644 --- a/Source/charon/sa/ike_sa.c +++ b/Source/charon/sa/ike_sa.c @@ -615,6 +615,23 @@ static signer_t *get_signer_initiator (private_ike_sa_t *this) } /** + * Implementation of protected_ike_sa_t.get_crypter_responder. + */ +static crypter_t *get_crypter_responder(private_ike_sa_t *this) +{ + return this->crypter_responder; +} + +/** + * Implementation of protected_ike_sa_t.get_signer_responder. + */ +static signer_t *get_signer_responder (private_ike_sa_t *this) +{ + return this->signer_responder; +} + + +/** * Implementation of protected_ike_sa_t.set_last_requested_message. */ static status_t set_last_requested_message (private_ike_sa_t *this,message_t * message) @@ -815,6 +832,8 @@ ike_sa_t * ike_sa_create(ike_sa_id_t *ike_sa_id) this->protected.set_new_state = (void (*) (protected_ike_sa_t *,state_t *)) set_new_state; this->protected.get_crypter_initiator = (crypter_t *(*) (protected_ike_sa_t *)) get_crypter_initiator; this->protected.get_signer_initiator = (signer_t *(*) (protected_ike_sa_t *)) get_signer_initiator; + this->protected.get_crypter_responder = (crypter_t *(*) (protected_ike_sa_t *)) get_crypter_responder; + this->protected.get_signer_responder = (signer_t *(*) (protected_ike_sa_t *)) get_signer_responder; this->protected.reset_message_buffers = (void (*) (protected_ike_sa_t *)) reset_message_buffers; /* private functions */ diff --git a/Source/charon/sa/ike_sa.h b/Source/charon/sa/ike_sa.h index 6fd6f0e8d..806fd6581 100644 --- a/Source/charon/sa/ike_sa.h +++ b/Source/charon/sa/ike_sa.h @@ -282,6 +282,22 @@ struct protected_ike_sa_t { * @return pointer to signer_t object */ signer_t *(*get_signer_initiator) (protected_ike_sa_t *this); + + /** + * Gets the internal stored responder crypter_t object. + * + * @param this calling object + * @return pointer to crypter_t object + */ + crypter_t *(*get_crypter_responder) (protected_ike_sa_t *this); + + /** + * Gets the internal stored responder signer object. + * + * @param this calling object + * @return pointer to signer_t object + */ + signer_t *(*get_signer_responder) (protected_ike_sa_t *this); /** * Resets message id counters and does destroy stored received and sent messages. diff --git a/Source/charon/sa/states/ike_auth_requested.c b/Source/charon/sa/states/ike_auth_requested.c index 316b0a2c6..eb4ccae6b 100644 --- a/Source/charon/sa/states/ike_auth_requested.c +++ b/Source/charon/sa/states/ike_auth_requested.c @@ -22,8 +22,15 @@ #include "ike_auth_requested.h" +#include <daemon.h> #include <utils/allocator.h> - +#include <encoding/payloads/ts_payload.h> +#include <encoding/payloads/sa_payload.h> +#include <encoding/payloads/id_payload.h> +#include <encoding/payloads/auth_payload.h> +#include <transforms/signers/signer.h> +#include <transforms/crypters/crypter.h> +#include <sa/states/ike_sa_established.h> typedef struct private_ike_auth_requested_t private_ike_auth_requested_t; @@ -51,17 +58,281 @@ struct private_ike_auth_requested_t { * Assigned IKE_SA */ protected_ike_sa_t *ike_sa; + + /** + * SA config, just a copy of the one stored in the ike_sa + */ + sa_config_t *sa_config; + + /** + * Logger used to log data + * + * Is logger of ike_sa! + */ + logger_t *logger; + + status_t (*process_idr_payload) (private_ike_auth_requested_t *this, id_payload_t *idr_payload); + status_t (*process_sa_payload) (private_ike_auth_requested_t *this, sa_payload_t *sa_payload); + status_t (*process_auth_payload) (private_ike_auth_requested_t *this, auth_payload_t *auth_payload); + status_t (*process_ts_payload) (private_ike_auth_requested_t *this, bool ts_initiator, ts_payload_t *ts_payload); + }; + /** - * Implements state_t.get_state + * Implements state_t.process_message + */ +static status_t process_message(private_ike_auth_requested_t *this, message_t *request) +{ + status_t status; + signer_t *signer; + crypter_t *crypter; + iterator_t *payloads; + exchange_type_t exchange_type; + id_payload_t *idr_payload; + auth_payload_t *auth_payload; + sa_payload_t *sa_payload; + ts_payload_t *tsi_payload, *tsr_payload; + + return SUCCESS; + + exchange_type = request->get_exchange_type(request); + if (exchange_type != IKE_AUTH) + { + this->logger->log(this->logger, ERROR | MORE, "Message of type %s not supported in state ike_auth_requested", + mapping_find(exchange_type_m,exchange_type)); + return FAILED; + } + + if (request->get_request(request)) + { + this->logger->log(this->logger, ERROR | MORE, "Only responses of type IKE_AUTH supported in state ike_auth_requested"); + return FAILED; + } + + /* get signer for verification and crypter for decryption */ + signer = this->ike_sa->get_signer_responder(this->ike_sa); + crypter = this->ike_sa->get_crypter_responder(this->ike_sa); + + /* parse incoming message */ + status = request->parse_body(request, crypter, signer); + if (status != SUCCESS) + { + this->logger->log(this->logger, ERROR | MORE, "Could not parse body of request message"); + return status; + } + + this->sa_config = this->ike_sa->get_sa_config(this->ike_sa); + + /* iterate over incoming payloads. Message is verified, we can be sure there are the required payloads */ + payloads = request->get_payload_iterator(request); + while (payloads->has_next(payloads)) + { + payload_t *payload; + payloads->current(payloads, (void**)&payload); + + switch (payload->get_type(payload)) + { + case AUTHENTICATION: + { + auth_payload = (auth_payload_t*)payload; + break; + } + case ID_RESPONDER: + { + idr_payload = (id_payload_t*)payload; + break; + } + case SECURITY_ASSOCIATION: + { + sa_payload = (sa_payload_t*)payload; + break; + } + case CERTIFICATE: + { + /* TODO handle cert payloads */ + break; + } + case TRAFFIC_SELECTOR_INITIATOR: + { + tsi_payload = (ts_payload_t*)payload; + break; + } + case TRAFFIC_SELECTOR_RESPONDER: + { + tsr_payload = (ts_payload_t*)payload; + break; + } + default: + { + /* can't happen, since message is verified, notify's? */ + break; + } + } + } + /* iterator can be destroyed */ + payloads->destroy(payloads); + + + /* add payloads to it */ + status = this->process_idr_payload(this, idr_payload); + if (status != SUCCESS) + { + this->logger->log(this->logger, ERROR, "Processing idr payload failed"); + return status; + } + status = this->process_sa_payload(this, sa_payload); + if (status != SUCCESS) + { + this->logger->log(this->logger, ERROR, "Processing sa payload failed"); + return status; + } + status = this->process_auth_payload(this, auth_payload); + if (status != SUCCESS) + { + this->logger->log(this->logger, ERROR, "Processing auth payload failed"); + return status; + } + status = this->process_ts_payload(this, TRUE, tsi_payload); + if (status != SUCCESS) + { + this->logger->log(this->logger, ERROR, "Processing tsi payload failed"); + return status; + } + status = this->process_ts_payload(this, FALSE, tsr_payload); + if (status != SUCCESS) + { + this->logger->log(this->logger, ERROR, "Processing tsr payload failed"); + return status; + } + + this->logger->log(this->logger, CONTROL | MORE, "IKE_AUTH response successfully handled. IKE_SA established."); + + /* create new state */ + this->ike_sa->set_new_state(this->ike_sa, (state_t*)ike_sa_established_create(this->ike_sa)); + + return SUCCESS; +} + +/** + * Implements private_ike_auth_requested_t.build_idr_payload */ -static status_t process_message(private_ike_auth_requested_t *this, message_t *message) +static status_t process_idr_payload(private_ike_auth_requested_t *this, id_payload_t *idr_payload) { + identification_t *other_id, *configured_other_id; + + other_id = idr_payload->get_identification(idr_payload); + + configured_other_id = this->sa_config->get_other_id(this->sa_config); + if (configured_other_id) + { + if (!other_id->equals(other_id, configured_other_id)) + { + this->logger->log(this->logger, ERROR, "IKE_AUTH reply didn't contain requested id"); + return FAILED; + } + } + + /* TODO do we have to store other_id somewhere ? */ + return SUCCESS; +} + +/** + * Implements private_ike_auth_requested_t.build_sa_payload + */ +static status_t process_sa_payload(private_ike_auth_requested_t *this, sa_payload_t *sa_payload) +{ + child_proposal_t *proposals, *proposal_chosen; + size_t proposal_count; + status_t status; + + /* dummy spis, until we have a child sa to request them */ + u_int8_t ah_spi[4] = {0x01, 0x02, 0x03, 0x04}; + u_int8_t esp_spi[4] = {0x05, 0x06, 0x07, 0x08}; + + /* check selected proposal */ + status = sa_payload->get_child_proposals(sa_payload, &proposals, &proposal_count); + if (status != SUCCESS) + { + this->logger->log(this->logger, ERROR, "responders sa payload contained no proposals"); + return FAILED; + } + if (proposal_count > 1) + { + allocator_free(proposals); + this->logger->log(this->logger, ERROR, "responders sa payload contained more than one proposal"); + return FAILED; + } + + proposal_chosen = this->sa_config->select_proposal(this->sa_config, ah_spi, esp_spi, proposals, proposal_count); + if (proposal_chosen == NULL) + { + this->logger->log(this->logger, ERROR, "responder selected an not offered proposal"); + allocator_free(proposals); + return FAILED; + } + else + { + allocator_free(proposal_chosen); + } + + allocator_free(proposals); + return SUCCESS; } /** + * Implements private_ike_auth_requested_t.build_auth_payload + */ +static status_t process_auth_payload(private_ike_auth_requested_t *this, auth_payload_t *auth_payload) +{ + /* TODO VERIFY auth here */ + return SUCCESS; +} + +/** + * Implements private_ike_auth_requested_t.build_ts_payload + */ +static status_t process_ts_payload(private_ike_auth_requested_t *this, bool ts_initiator, ts_payload_t *ts_payload) +{ + traffic_selector_t **ts_received, **ts_selected; + size_t ts_received_count, ts_selected_count; + status_t status = SUCCESS; + + /* get ts form payload */ + ts_received_count = ts_payload->get_traffic_selectors(ts_payload, &ts_received); + /* select ts depending on payload type */ + if (ts_initiator) + { + ts_selected_count = this->sa_config->select_traffic_selectors_initiator(this->sa_config, ts_received, ts_received_count, &ts_selected); + } + else + { + ts_selected_count = this->sa_config->select_traffic_selectors_responder(this->sa_config, ts_received, ts_received_count, &ts_selected); + } + /* check if the responder selected valid proposals */ + if (ts_selected_count != ts_received_count) + { + this->logger->log(this->logger, ERROR, "responder selected invalid traffic selectors"); + status = FAILED; + } + + /* cleanup */ + while(ts_received_count--) + { + traffic_selector_t *ts = *ts_received + ts_received_count; + ts->destroy(ts); + } + allocator_free(ts_received); + while(ts_selected_count--) + { + traffic_selector_t *ts = *ts_selected + ts_selected_count; + ts->destroy(ts); + } + allocator_free(ts_selected); + return status; +} +/** * Implements state_t.get_state */ static ike_sa_state_t get_state(private_ike_auth_requested_t *this) @@ -91,6 +362,13 @@ ike_auth_requested_t *ike_auth_requested_create(protected_ike_sa_t *ike_sa, chun this->public.state_interface.get_state = (ike_sa_state_t (*) (state_t *)) get_state; this->public.state_interface.destroy = (void (*) (state_t *)) destroy; + /* private functions */ + + this->process_idr_payload = process_idr_payload; + this->process_sa_payload = process_sa_payload; + this->process_auth_payload = process_auth_payload; + this->process_ts_payload = process_ts_payload; + /* private data */ this->ike_sa = ike_sa; this->sent_nonce = sent_nonce; diff --git a/Source/charon/sa/states/ike_sa_init_requested.c b/Source/charon/sa/states/ike_sa_init_requested.c index aa12cd1b1..424f75950 100644 --- a/Source/charon/sa/states/ike_sa_init_requested.c +++ b/Source/charon/sa/states/ike_sa_init_requested.c @@ -534,7 +534,9 @@ static void build_tsi_payload (private_ike_sa_init_requested_t *this, payload_t sa_config = this->ike_sa->get_sa_config(this->ike_sa); traffic_selectors_count = sa_config->get_traffic_selectors_initiator(sa_config,&traffic_selectors); + printf("traffic_selectors: %d\n", traffic_selectors_count); ts_payload = ts_payload_create_from_traffic_selectors(TRUE,traffic_selectors, traffic_selectors_count); + allocator_free(traffic_selectors); *payload = (payload_t *) ts_payload; diff --git a/Source/charon/sa/states/ike_sa_init_responded.c b/Source/charon/sa/states/ike_sa_init_responded.c index 70090eb71..910987969 100644 --- a/Source/charon/sa/states/ike_sa_init_responded.c +++ b/Source/charon/sa/states/ike_sa_init_responded.c @@ -30,6 +30,7 @@ #include <encoding/payloads/auth_payload.h> #include <transforms/signers/signer.h> #include <transforms/crypters/crypter.h> +#include <sa/states/ike_sa_established.h> typedef struct private_ike_sa_init_responded_t private_ike_sa_init_responded_t; @@ -45,27 +46,14 @@ struct private_ike_sa_init_responded_t { ike_sa_init_responded_t public; /** - * Shared secret from DH-Exchange - * - * All needed secrets are derived from this shared secret and then passed to the next - * state of type ike_sa_established_t - */ - chunk_t shared_secret; - - /** - * Sent nonce used to calculate secrets - */ - chunk_t received_nonce; - - /** - * Sent nonce used to calculate secrets + * Assigned IKE_SA */ - chunk_t sent_nonce; + protected_ike_sa_t *ike_sa; /** - * Assigned IKE_SA + * sa config to use */ - protected_ike_sa_t *ike_sa; + sa_config_t *sa_config; /** * Logger used to log data @@ -73,24 +61,31 @@ struct private_ike_sa_init_responded_t { * Is logger of ike_sa! */ logger_t *logger; + + status_t (*build_idr_payload) (private_ike_sa_init_responded_t *this, id_payload_t *request_idi, id_payload_t *request_idr, message_t *response); + status_t (*build_sa_payload) (private_ike_sa_init_responded_t *this, sa_payload_t *request, message_t *response); + status_t (*build_auth_payload) (private_ike_sa_init_responded_t *this, auth_payload_t *request, message_t *response); + status_t (*build_ts_payload) (private_ike_sa_init_responded_t *this, bool ts_initiator, ts_payload_t *request, message_t *response); }; /** * Implements state_t.get_state */ -static status_t process_message(private_ike_sa_init_responded_t *this, message_t *message) +static status_t process_message(private_ike_sa_init_responded_t *this, message_t *request) { status_t status; signer_t *signer; crypter_t *crypter; iterator_t *payloads; exchange_type_t exchange_type; - id_payload_t *idi_payload, *idr_payload; - auth_payload_t *auth_payload; - sa_payload_t *sa_payload; - ts_payload_t *tsi_payload, *tsr_payload; + id_payload_t *idi_request, *idr_request = NULL; + auth_payload_t *auth_request; + sa_payload_t *sa_request; + ts_payload_t *tsi_request, *tsr_request; + message_t *response; + packet_t *response_packet; - exchange_type = message->get_exchange_type(message); + exchange_type = request->get_exchange_type(request); if (exchange_type != IKE_AUTH) { this->logger->log(this->logger, ERROR | MORE, "Message of type %s not supported in state ike_sa_init_responded", @@ -98,7 +93,7 @@ static status_t process_message(private_ike_sa_init_responded_t *this, message_t return FAILED; } - if (!message->get_request(message)) + if (!request->get_request(request)) { this->logger->log(this->logger, ERROR | MORE, "Only requests of type IKE_AUTH supported in state ike_sa_init_responded"); return FAILED; @@ -110,7 +105,7 @@ static status_t process_message(private_ike_sa_init_responded_t *this, message_t /* parse incoming message */ - status = message->parse_body(message, crypter, signer); + status = request->parse_body(request, crypter, signer); if (status != SUCCESS) { this->logger->log(this->logger, ERROR | MORE, "Could not parse body of request message"); @@ -118,7 +113,7 @@ static status_t process_message(private_ike_sa_init_responded_t *this, message_t } /* iterate over incoming payloads. Message is verified, we can be sure there are the required payloads */ - payloads = message->get_payload_iterator(message); + payloads = request->get_payload_iterator(request); while (payloads->has_next(payloads)) { payload_t *payload; @@ -128,22 +123,22 @@ static status_t process_message(private_ike_sa_init_responded_t *this, message_t { case ID_INITIATOR: { - idi_payload = (id_payload_t*)payload; + idi_request = (id_payload_t*)payload; break; } case AUTHENTICATION: { - auth_payload = (auth_payload_t*)payload; + auth_request = (auth_payload_t*)payload; break; } case ID_RESPONDER: { - /* TODO handle idr payloads */ + idr_request = (id_payload_t*)payload; break; } case SECURITY_ASSOCIATION: { - sa_payload = (sa_payload_t*)payload; + sa_request = (sa_payload_t*)payload; break; } case CERTIFICATE: @@ -158,17 +153,17 @@ static status_t process_message(private_ike_sa_init_responded_t *this, message_t } case TRAFFIC_SELECTOR_INITIATOR: { - tsi_payload = (ts_payload_t*)payload; + tsi_request = (ts_payload_t*)payload; break; } case TRAFFIC_SELECTOR_RESPONDER: { - tsr_payload = (ts_payload_t*)payload; + tsr_request = (ts_payload_t*)payload; break; } default: { - /* can't happen, since message is verified */ + /* can't happen, since message is verified, notify's? */ break; } } @@ -176,69 +171,226 @@ static status_t process_message(private_ike_sa_init_responded_t *this, message_t /* iterator can be destroyed */ payloads->destroy(payloads); + /* build response */ + this->ike_sa->build_message(this->ike_sa, IKE_AUTH, FALSE, &response); - /* - * ID Payload - */ - this->logger->log(this->logger, CONTROL|MOST, "type of IDi is %s", - mapping_find(id_type_m, idi_payload->get_id_type(idi_payload))); - chunk_t data = idi_payload->get_data(idi_payload); - - this->logger->log(this->logger, CONTROL|MOST, "data of IDi is %s", - data.ptr); - -// charon->configuration_manager->get_my_default_id(charon->configuration_manager, id -// -// -// -// -// this->logger->log(this->logger, CONTROL|MOST, "type of AUTH is %s", -// mapping_find(auth_method_m, auth_payload->get_auth_method(auth_payload))); -// -// /* get the list of suggested proposals */ -// suggested_proposals = sa_payload->create_proposal_substructure_iterator(sa_payload, TRUE); -// -// /* now let the configuration-manager select a subset of the proposals */ -// status = charon->configuration_manager->select_proposals_for_host(charon->configuration_manager, -// this->ike_sa->get_other_host(this->ike_sa), suggested_proposals, accepted_proposals); -// - -// iterator = tsi_payload->create_traffic_selector_substructure_iterator(tsi_payload, TRUE); -// while (iterator->has_next(iterator)) -// { -// traffic_selector_substructure_t *ts; -// iterator->current(iterator, (void**)ts); -// this->logger->log(this->logger, CONTROL|MOST, "type of TSi is %s", -// mapping_find(ts_type_m, ts->get_ts_type(ts))); -// -// } -// iterator->destroy(iterator); -// -// iterator = tsr_payload->create_traffic_selector_substructure_iterator(tsr_payload, TRUE); -// while (iterator->has_next(iterator)) -// { -// traffic_selector_substructure_t *ts; -// iterator->current(iterator, (void**)ts); -// this->logger->log(this->logger, CONTROL|MOST, "type of TSr is %s", -// mapping_find(ts_type_m, ts->get_ts_type(ts))); -// -// } -// iterator->destroy(iterator); - - - - this->logger->log(this->logger, CONTROL | MORE, "Request successfully handled. Going to create reply."); + /* add payloads to it */ + status = this->build_idr_payload(this, idi_request, idr_request, response); + if (status != SUCCESS) + { + this->logger->log(this->logger, ERROR, "Building idr payload failed"); + response->destroy(response); + return status; + } + status = this->build_sa_payload(this, sa_request, response); + if (status != SUCCESS) + { + this->logger->log(this->logger, ERROR, "Building sa payload failed"); + response->destroy(response); + return status; + } + status = this->build_auth_payload(this, auth_request, response); + if (status != SUCCESS) + { + this->logger->log(this->logger, ERROR, "Building auth payload failed"); + response->destroy(response); + return status; + } + status = this->build_ts_payload(this, TRUE, tsi_request, response); + if (status != SUCCESS) + { + this->logger->log(this->logger, ERROR, "Building tsi payload failed"); + response->destroy(response); + return status; + } + status = this->build_ts_payload(this, FALSE, tsr_request, response); + if (status != SUCCESS) + { + this->logger->log(this->logger, ERROR, "Building tsr payload failed"); + response->destroy(response); + return status; + } + + /* generate response, get transfroms first */ + signer = this->ike_sa->get_signer_responder(this->ike_sa); + crypter = this->ike_sa->get_crypter_responder(this->ike_sa); + status = response->generate(response, crypter, signer, &response_packet); + if (status != SUCCESS) + { + this->logger->log(this->logger, ERROR, "Error in message generation"); + response->destroy(response); + return status; + } + + + /* send it out */ + this->logger->log(this->logger, CONTROL | MORE, "IKE_AUTH request successfully handled. Sending reply."); + charon->send_queue->add(charon->send_queue, response_packet); + /* store for timeout reply */ + this->ike_sa->set_last_responded_message(this->ike_sa, response); + + /* create new state */ + this->ike_sa->set_new_state(this->ike_sa, (state_t*)ike_sa_established_create(this->ike_sa)); + return SUCCESS; } - -static status_t build_id_payload(private_ike_sa_init_responded_t *this, id_payload_t *id_payload) +/** + * Implements private_ike_sa_init_responded_t.build_idr_payload + */ +static status_t build_idr_payload(private_ike_sa_init_responded_t *this, id_payload_t *request_idi, id_payload_t *request_idr, message_t *response) { + identification_t *other_id, *my_id = NULL; + init_config_t *init_config; + status_t status; + id_payload_t *idr_response; + + other_id = request_idi->get_identification(request_idi); + if (request_idr) + { + my_id = request_idr->get_identification(request_idr); + } + + /* build new sa config */ + init_config = this->ike_sa->get_init_config(this->ike_sa); + status = charon->configuration_manager->get_sa_config_for_init_config_and_id(charon->configuration_manager,init_config, other_id,my_id, &(this->sa_config)); + if (status != SUCCESS) + { + this->logger->log(this->logger, ERROR, "Could not find config for %s", other_id->get_string(other_id)); + return NOT_FOUND; + } + + /* set sa_config in ike_sa for other states */ + this->ike_sa->set_sa_config(this->ike_sa, this->sa_config); + + /* build response */ + idr_response = id_payload_create_from_identification(FALSE, other_id); + response->add_payload(response, (payload_t*)idr_response); + + if (my_id) + { + my_id->destroy(my_id); + } + other_id->destroy(other_id); + return SUCCESS; } /** + * Implements private_ike_sa_init_responded_t.build_sa_payload + */ +static status_t build_sa_payload(private_ike_sa_init_responded_t *this, sa_payload_t *request, message_t *response) +{ + child_proposal_t *proposals, *proposal_chosen; + size_t proposal_count; + status_t status; + sa_payload_t *sa_response; + + /* dummy spis, until we have a child sa to request them */ + u_int8_t ah_spi[4] = {0x01, 0x02, 0x03, 0x04}; + u_int8_t esp_spi[4] = {0x05, 0x06, 0x07, 0x08}; + + status = request->get_child_proposals(request, &proposals, &proposal_count); + if (status == SUCCESS) + { + proposal_chosen = this->sa_config->select_proposal(this->sa_config, ah_spi, esp_spi, proposals, proposal_count); + if (proposal_chosen != NULL) + { + sa_response = sa_payload_create_from_child_proposals(proposal_chosen, 1); + response->add_payload(response, (payload_t*)sa_response); + } + else + { + this->logger->log(this->logger, ERROR, "no matching proposal found"); + status = NOT_FOUND; + } + } + else + { + this->logger->log(this->logger, ERROR, "requestor's sa payload contained no proposals"); + status = NOT_FOUND; + } + + + allocator_free(proposal_chosen); + allocator_free(proposals); + + + return status; +} + +/** + * Implements private_ike_sa_init_responded_t.build_auth_payload + */ +static status_t build_auth_payload(private_ike_sa_init_responded_t *this, auth_payload_t *request, message_t *response) +{ + auth_payload_t *dummy; + u_int8_t data[] = {0x01,0x03,0x01,0x03,0x01,0x03,0x01,0x03,0x01,0x03,0x01,0x03,0x01,0x03,0x01,0x03}; + chunk_t auth_data; + auth_data.ptr = data; + auth_data.len = sizeof(data); + + /* TODO VERIFY auth here */ + + dummy = auth_payload_create(); + dummy->set_data(dummy, auth_data); + dummy->set_auth_method(dummy, RSA_DIGITAL_SIGNATURE); + + /* TODO replace dummy */ + + response->add_payload(response, (payload_t *)dummy); + return SUCCESS; +} + +/** + * Implements private_ike_sa_init_responded_t.build_ts_payload + */ +static status_t build_ts_payload(private_ike_sa_init_responded_t *this, bool ts_initiator, ts_payload_t *request, message_t* response) +{ + traffic_selector_t **ts_received, **ts_selected; + size_t ts_received_count, ts_selected_count; + status_t status = SUCCESS; + ts_payload_t *ts_response; + + /* build a reply payload with selected traffic selectors */ + ts_received_count = request->get_traffic_selectors(request, &ts_received); + /* select ts depending on payload type */ + if (ts_initiator) + { + ts_selected_count = this->sa_config->select_traffic_selectors_initiator(this->sa_config, ts_received, ts_received_count, &ts_selected); + } + else + { + ts_selected_count = this->sa_config->select_traffic_selectors_responder(this->sa_config, ts_received, ts_received_count, &ts_selected); + } + if(ts_selected_count == 0) + { + status = NOT_FOUND; + } + else + { + ts_response = ts_payload_create_from_traffic_selectors(FALSE, ts_selected, ts_selected_count); + response->add_payload(response, (payload_t*)ts_response); + } + + /* cleanup */ + while(ts_received_count--) + { + traffic_selector_t *ts = *ts_received + ts_received_count; + ts->destroy(ts); + } + allocator_free(ts_received); + while(ts_selected_count--) + { + traffic_selector_t *ts = *ts_selected + ts_selected_count; + ts->destroy(ts); + } + allocator_free(ts_selected); + return status; +} + +/** * Implements state_t.get_state */ static ike_sa_state_t get_state(private_ike_sa_init_responded_t *this) @@ -253,14 +405,7 @@ static void destroy(private_ike_sa_init_responded_t *this) { this->logger->log(this->logger, CONTROL | MORE, "Going to destroy ike_sa_init_responded_t state object"); - this->logger->log(this->logger, CONTROL | MOST, "Destroy shared_secret"); - allocator_free(this->shared_secret.ptr); - - this->logger->log(this->logger, CONTROL | MOST, "Destroy sent nonce"); - allocator_free(this->sent_nonce.ptr); - - this->logger->log(this->logger, CONTROL | MOST, "Destroy received nonce"); - allocator_free(this->received_nonce.ptr); + charon->logger_manager->destroy_logger(charon->logger_manager, this->logger); allocator_free(this); } @@ -268,8 +413,7 @@ static void destroy(private_ike_sa_init_responded_t *this) /* * Described in header. */ - -ike_sa_init_responded_t *ike_sa_init_responded_create(protected_ike_sa_t *ike_sa, chunk_t shared_secret, chunk_t received_nonce, chunk_t sent_nonce) +ike_sa_init_responded_t *ike_sa_init_responded_create(protected_ike_sa_t *ike_sa) { private_ike_sa_init_responded_t *this = allocator_alloc_thing(private_ike_sa_init_responded_t); @@ -278,12 +422,15 @@ ike_sa_init_responded_t *ike_sa_init_responded_create(protected_ike_sa_t *ike_sa this->public.state_interface.get_state = (ike_sa_state_t (*) (state_t *)) get_state; this->public.state_interface.destroy = (void (*) (state_t *)) destroy; + /* private functions */ + this->build_idr_payload = build_idr_payload; + this->build_sa_payload = build_sa_payload; + this->build_auth_payload = build_auth_payload; + this->build_ts_payload = build_ts_payload; + /* private data */ this->ike_sa = ike_sa; this->logger = this->ike_sa->get_logger(this->ike_sa); - this->shared_secret = shared_secret; - this->received_nonce = received_nonce; - this->sent_nonce = sent_nonce; return &(this->public); } diff --git a/Source/charon/sa/states/ike_sa_init_responded.h b/Source/charon/sa/states/ike_sa_init_responded.h index aa07f76b9..e65c4e5e5 100644 --- a/Source/charon/sa/states/ike_sa_init_responded.h +++ b/Source/charon/sa/states/ike_sa_init_responded.h @@ -50,6 +50,6 @@ struct ike_sa_init_responded_t { * * @ingroup states */ -ike_sa_init_responded_t *ike_sa_init_responded_create(protected_ike_sa_t *ike_sa, chunk_t shared_secret, chunk_t received_nonce, chunk_t sent_nonce); +ike_sa_init_responded_t *ike_sa_init_responded_create(protected_ike_sa_t *ike_sa); #endif /*IKE_SA_INIT_RESPONDED_H_*/ diff --git a/Source/charon/sa/states/responder_init.c b/Source/charon/sa/states/responder_init.c index ee9584e2c..3c03adf41 100644 --- a/Source/charon/sa/states/responder_init.c +++ b/Source/charon/sa/states/responder_init.c @@ -361,7 +361,7 @@ static status_t process_message(private_responder_init_t *this, message_t *messa /* state can now be changed */ this->logger->log(this->logger, CONTROL|MOST, "Create next state object"); - next_state = ike_sa_init_responded_create(this->ike_sa, shared_secret, this->received_nonce, this->sent_nonce); + next_state = ike_sa_init_responded_create(this->ike_sa); /* last message can now be set */ status = this->ike_sa->set_last_responded_message(this->ike_sa, response); diff --git a/Source/charon/utils/logger_manager.c b/Source/charon/utils/logger_manager.c index d030d5cbe..8c19e9dae 100644 --- a/Source/charon/utils/logger_manager.c +++ b/Source/charon/utils/logger_manager.c @@ -42,6 +42,7 @@ mapping_t logger_context_t_mappings[] = { {TESTER, "TESTER"}, {DAEMON, "DAEMON"}, {CONFIGURATION_MANAGER, "CONFIG"}, + {ENCRYPTION_PAYLOAD, "ENCPLD"}, }; /** @@ -148,6 +149,7 @@ static logger_t *create_logger(private_logger_manager_t *this, logger_context_t logger_level |= FULL; case IKE_SA_MANAGER: case MESSAGE: + case ENCRYPTION_PAYLOAD: case WORKER: logger_level |= ALL; case PARSER: diff --git a/Source/charon/utils/logger_manager.h b/Source/charon/utils/logger_manager.h index c663bd7de..80a9291fc 100644 --- a/Source/charon/utils/logger_manager.h +++ b/Source/charon/utils/logger_manager.h @@ -49,6 +49,7 @@ enum logger_context_t { TESTER, DAEMON, CONFIGURATION_MANAGER, + ENCRYPTION_PAYLOAD, }; typedef struct logger_manager_t logger_manager_t; |