aboutsummaryrefslogtreecommitdiffstats
path: root/Source/charon/sa
diff options
context:
space:
mode:
Diffstat (limited to 'Source/charon/sa')
-rw-r--r--Source/charon/sa/ike_sa.c19
-rw-r--r--Source/charon/sa/ike_sa.h16
-rw-r--r--Source/charon/sa/states/ike_auth_requested.c284
-rw-r--r--Source/charon/sa/states/ike_sa_init_requested.c2
-rw-r--r--Source/charon/sa/states/ike_sa_init_responded.c345
-rw-r--r--Source/charon/sa/states/ike_sa_init_responded.h2
-rw-r--r--Source/charon/sa/states/responder_init.c2
7 files changed, 566 insertions, 104 deletions
diff --git a/Source/charon/sa/ike_sa.c b/Source/charon/sa/ike_sa.c
index 9acd8914a..36ed8ee9a 100644
--- a/Source/charon/sa/ike_sa.c
+++ b/Source/charon/sa/ike_sa.c
@@ -615,6 +615,23 @@ static signer_t *get_signer_initiator (private_ike_sa_t *this)
}
/**
+ * Implementation of protected_ike_sa_t.get_crypter_responder.
+ */
+static crypter_t *get_crypter_responder(private_ike_sa_t *this)
+{
+ return this->crypter_responder;
+}
+
+/**
+ * Implementation of protected_ike_sa_t.get_signer_responder.
+ */
+static signer_t *get_signer_responder (private_ike_sa_t *this)
+{
+ return this->signer_responder;
+}
+
+
+/**
* Implementation of protected_ike_sa_t.set_last_requested_message.
*/
static status_t set_last_requested_message (private_ike_sa_t *this,message_t * message)
@@ -815,6 +832,8 @@ ike_sa_t * ike_sa_create(ike_sa_id_t *ike_sa_id)
this->protected.set_new_state = (void (*) (protected_ike_sa_t *,state_t *)) set_new_state;
this->protected.get_crypter_initiator = (crypter_t *(*) (protected_ike_sa_t *)) get_crypter_initiator;
this->protected.get_signer_initiator = (signer_t *(*) (protected_ike_sa_t *)) get_signer_initiator;
+ this->protected.get_crypter_responder = (crypter_t *(*) (protected_ike_sa_t *)) get_crypter_responder;
+ this->protected.get_signer_responder = (signer_t *(*) (protected_ike_sa_t *)) get_signer_responder;
this->protected.reset_message_buffers = (void (*) (protected_ike_sa_t *)) reset_message_buffers;
/* private functions */
diff --git a/Source/charon/sa/ike_sa.h b/Source/charon/sa/ike_sa.h
index 6fd6f0e8d..806fd6581 100644
--- a/Source/charon/sa/ike_sa.h
+++ b/Source/charon/sa/ike_sa.h
@@ -282,6 +282,22 @@ struct protected_ike_sa_t {
* @return pointer to signer_t object
*/
signer_t *(*get_signer_initiator) (protected_ike_sa_t *this);
+
+ /**
+ * Gets the internal stored responder crypter_t object.
+ *
+ * @param this calling object
+ * @return pointer to crypter_t object
+ */
+ crypter_t *(*get_crypter_responder) (protected_ike_sa_t *this);
+
+ /**
+ * Gets the internal stored responder signer object.
+ *
+ * @param this calling object
+ * @return pointer to signer_t object
+ */
+ signer_t *(*get_signer_responder) (protected_ike_sa_t *this);
/**
* Resets message id counters and does destroy stored received and sent messages.
diff --git a/Source/charon/sa/states/ike_auth_requested.c b/Source/charon/sa/states/ike_auth_requested.c
index 316b0a2c6..eb4ccae6b 100644
--- a/Source/charon/sa/states/ike_auth_requested.c
+++ b/Source/charon/sa/states/ike_auth_requested.c
@@ -22,8 +22,15 @@
#include "ike_auth_requested.h"
+#include <daemon.h>
#include <utils/allocator.h>
-
+#include <encoding/payloads/ts_payload.h>
+#include <encoding/payloads/sa_payload.h>
+#include <encoding/payloads/id_payload.h>
+#include <encoding/payloads/auth_payload.h>
+#include <transforms/signers/signer.h>
+#include <transforms/crypters/crypter.h>
+#include <sa/states/ike_sa_established.h>
typedef struct private_ike_auth_requested_t private_ike_auth_requested_t;
@@ -51,17 +58,281 @@ struct private_ike_auth_requested_t {
* Assigned IKE_SA
*/
protected_ike_sa_t *ike_sa;
+
+ /**
+ * SA config, just a copy of the one stored in the ike_sa
+ */
+ sa_config_t *sa_config;
+
+ /**
+ * Logger used to log data
+ *
+ * Is logger of ike_sa!
+ */
+ logger_t *logger;
+
+ status_t (*process_idr_payload) (private_ike_auth_requested_t *this, id_payload_t *idr_payload);
+ status_t (*process_sa_payload) (private_ike_auth_requested_t *this, sa_payload_t *sa_payload);
+ status_t (*process_auth_payload) (private_ike_auth_requested_t *this, auth_payload_t *auth_payload);
+ status_t (*process_ts_payload) (private_ike_auth_requested_t *this, bool ts_initiator, ts_payload_t *ts_payload);
+
};
+
/**
- * Implements state_t.get_state
+ * Implements state_t.process_message
+ */
+static status_t process_message(private_ike_auth_requested_t *this, message_t *request)
+{
+ status_t status;
+ signer_t *signer;
+ crypter_t *crypter;
+ iterator_t *payloads;
+ exchange_type_t exchange_type;
+ id_payload_t *idr_payload;
+ auth_payload_t *auth_payload;
+ sa_payload_t *sa_payload;
+ ts_payload_t *tsi_payload, *tsr_payload;
+
+ return SUCCESS;
+
+ exchange_type = request->get_exchange_type(request);
+ if (exchange_type != IKE_AUTH)
+ {
+ this->logger->log(this->logger, ERROR | MORE, "Message of type %s not supported in state ike_auth_requested",
+ mapping_find(exchange_type_m,exchange_type));
+ return FAILED;
+ }
+
+ if (request->get_request(request))
+ {
+ this->logger->log(this->logger, ERROR | MORE, "Only responses of type IKE_AUTH supported in state ike_auth_requested");
+ return FAILED;
+ }
+
+ /* get signer for verification and crypter for decryption */
+ signer = this->ike_sa->get_signer_responder(this->ike_sa);
+ crypter = this->ike_sa->get_crypter_responder(this->ike_sa);
+
+ /* parse incoming message */
+ status = request->parse_body(request, crypter, signer);
+ if (status != SUCCESS)
+ {
+ this->logger->log(this->logger, ERROR | MORE, "Could not parse body of request message");
+ return status;
+ }
+
+ this->sa_config = this->ike_sa->get_sa_config(this->ike_sa);
+
+ /* iterate over incoming payloads. Message is verified, we can be sure there are the required payloads */
+ payloads = request->get_payload_iterator(request);
+ while (payloads->has_next(payloads))
+ {
+ payload_t *payload;
+ payloads->current(payloads, (void**)&payload);
+
+ switch (payload->get_type(payload))
+ {
+ case AUTHENTICATION:
+ {
+ auth_payload = (auth_payload_t*)payload;
+ break;
+ }
+ case ID_RESPONDER:
+ {
+ idr_payload = (id_payload_t*)payload;
+ break;
+ }
+ case SECURITY_ASSOCIATION:
+ {
+ sa_payload = (sa_payload_t*)payload;
+ break;
+ }
+ case CERTIFICATE:
+ {
+ /* TODO handle cert payloads */
+ break;
+ }
+ case TRAFFIC_SELECTOR_INITIATOR:
+ {
+ tsi_payload = (ts_payload_t*)payload;
+ break;
+ }
+ case TRAFFIC_SELECTOR_RESPONDER:
+ {
+ tsr_payload = (ts_payload_t*)payload;
+ break;
+ }
+ default:
+ {
+ /* can't happen, since message is verified, notify's? */
+ break;
+ }
+ }
+ }
+ /* iterator can be destroyed */
+ payloads->destroy(payloads);
+
+
+ /* add payloads to it */
+ status = this->process_idr_payload(this, idr_payload);
+ if (status != SUCCESS)
+ {
+ this->logger->log(this->logger, ERROR, "Processing idr payload failed");
+ return status;
+ }
+ status = this->process_sa_payload(this, sa_payload);
+ if (status != SUCCESS)
+ {
+ this->logger->log(this->logger, ERROR, "Processing sa payload failed");
+ return status;
+ }
+ status = this->process_auth_payload(this, auth_payload);
+ if (status != SUCCESS)
+ {
+ this->logger->log(this->logger, ERROR, "Processing auth payload failed");
+ return status;
+ }
+ status = this->process_ts_payload(this, TRUE, tsi_payload);
+ if (status != SUCCESS)
+ {
+ this->logger->log(this->logger, ERROR, "Processing tsi payload failed");
+ return status;
+ }
+ status = this->process_ts_payload(this, FALSE, tsr_payload);
+ if (status != SUCCESS)
+ {
+ this->logger->log(this->logger, ERROR, "Processing tsr payload failed");
+ return status;
+ }
+
+ this->logger->log(this->logger, CONTROL | MORE, "IKE_AUTH response successfully handled. IKE_SA established.");
+
+ /* create new state */
+ this->ike_sa->set_new_state(this->ike_sa, (state_t*)ike_sa_established_create(this->ike_sa));
+
+ return SUCCESS;
+}
+
+/**
+ * Implements private_ike_auth_requested_t.build_idr_payload
*/
-static status_t process_message(private_ike_auth_requested_t *this, message_t *message)
+static status_t process_idr_payload(private_ike_auth_requested_t *this, id_payload_t *idr_payload)
{
+ identification_t *other_id, *configured_other_id;
+
+ other_id = idr_payload->get_identification(idr_payload);
+
+ configured_other_id = this->sa_config->get_other_id(this->sa_config);
+ if (configured_other_id)
+ {
+ if (!other_id->equals(other_id, configured_other_id))
+ {
+ this->logger->log(this->logger, ERROR, "IKE_AUTH reply didn't contain requested id");
+ return FAILED;
+ }
+ }
+
+ /* TODO do we have to store other_id somewhere ? */
+ return SUCCESS;
+}
+
+/**
+ * Implements private_ike_auth_requested_t.build_sa_payload
+ */
+static status_t process_sa_payload(private_ike_auth_requested_t *this, sa_payload_t *sa_payload)
+{
+ child_proposal_t *proposals, *proposal_chosen;
+ size_t proposal_count;
+ status_t status;
+
+ /* dummy spis, until we have a child sa to request them */
+ u_int8_t ah_spi[4] = {0x01, 0x02, 0x03, 0x04};
+ u_int8_t esp_spi[4] = {0x05, 0x06, 0x07, 0x08};
+
+ /* check selected proposal */
+ status = sa_payload->get_child_proposals(sa_payload, &proposals, &proposal_count);
+ if (status != SUCCESS)
+ {
+ this->logger->log(this->logger, ERROR, "responders sa payload contained no proposals");
+ return FAILED;
+ }
+ if (proposal_count > 1)
+ {
+ allocator_free(proposals);
+ this->logger->log(this->logger, ERROR, "responders sa payload contained more than one proposal");
+ return FAILED;
+ }
+
+ proposal_chosen = this->sa_config->select_proposal(this->sa_config, ah_spi, esp_spi, proposals, proposal_count);
+ if (proposal_chosen == NULL)
+ {
+ this->logger->log(this->logger, ERROR, "responder selected an not offered proposal");
+ allocator_free(proposals);
+ return FAILED;
+ }
+ else
+ {
+ allocator_free(proposal_chosen);
+ }
+
+ allocator_free(proposals);
+
return SUCCESS;
}
/**
+ * Implements private_ike_auth_requested_t.build_auth_payload
+ */
+static status_t process_auth_payload(private_ike_auth_requested_t *this, auth_payload_t *auth_payload)
+{
+ /* TODO VERIFY auth here */
+ return SUCCESS;
+}
+
+/**
+ * Implements private_ike_auth_requested_t.build_ts_payload
+ */
+static status_t process_ts_payload(private_ike_auth_requested_t *this, bool ts_initiator, ts_payload_t *ts_payload)
+{
+ traffic_selector_t **ts_received, **ts_selected;
+ size_t ts_received_count, ts_selected_count;
+ status_t status = SUCCESS;
+
+ /* get ts form payload */
+ ts_received_count = ts_payload->get_traffic_selectors(ts_payload, &ts_received);
+ /* select ts depending on payload type */
+ if (ts_initiator)
+ {
+ ts_selected_count = this->sa_config->select_traffic_selectors_initiator(this->sa_config, ts_received, ts_received_count, &ts_selected);
+ }
+ else
+ {
+ ts_selected_count = this->sa_config->select_traffic_selectors_responder(this->sa_config, ts_received, ts_received_count, &ts_selected);
+ }
+ /* check if the responder selected valid proposals */
+ if (ts_selected_count != ts_received_count)
+ {
+ this->logger->log(this->logger, ERROR, "responder selected invalid traffic selectors");
+ status = FAILED;
+ }
+
+ /* cleanup */
+ while(ts_received_count--)
+ {
+ traffic_selector_t *ts = *ts_received + ts_received_count;
+ ts->destroy(ts);
+ }
+ allocator_free(ts_received);
+ while(ts_selected_count--)
+ {
+ traffic_selector_t *ts = *ts_selected + ts_selected_count;
+ ts->destroy(ts);
+ }
+ allocator_free(ts_selected);
+ return status;
+}
+/**
* Implements state_t.get_state
*/
static ike_sa_state_t get_state(private_ike_auth_requested_t *this)
@@ -91,6 +362,13 @@ ike_auth_requested_t *ike_auth_requested_create(protected_ike_sa_t *ike_sa, chun
this->public.state_interface.get_state = (ike_sa_state_t (*) (state_t *)) get_state;
this->public.state_interface.destroy = (void (*) (state_t *)) destroy;
+ /* private functions */
+
+ this->process_idr_payload = process_idr_payload;
+ this->process_sa_payload = process_sa_payload;
+ this->process_auth_payload = process_auth_payload;
+ this->process_ts_payload = process_ts_payload;
+
/* private data */
this->ike_sa = ike_sa;
this->sent_nonce = sent_nonce;
diff --git a/Source/charon/sa/states/ike_sa_init_requested.c b/Source/charon/sa/states/ike_sa_init_requested.c
index aa12cd1b1..424f75950 100644
--- a/Source/charon/sa/states/ike_sa_init_requested.c
+++ b/Source/charon/sa/states/ike_sa_init_requested.c
@@ -534,7 +534,9 @@ static void build_tsi_payload (private_ike_sa_init_requested_t *this, payload_t
sa_config = this->ike_sa->get_sa_config(this->ike_sa);
traffic_selectors_count = sa_config->get_traffic_selectors_initiator(sa_config,&traffic_selectors);
+ printf("traffic_selectors: %d\n", traffic_selectors_count);
ts_payload = ts_payload_create_from_traffic_selectors(TRUE,traffic_selectors, traffic_selectors_count);
+
allocator_free(traffic_selectors);
*payload = (payload_t *) ts_payload;
diff --git a/Source/charon/sa/states/ike_sa_init_responded.c b/Source/charon/sa/states/ike_sa_init_responded.c
index 70090eb71..910987969 100644
--- a/Source/charon/sa/states/ike_sa_init_responded.c
+++ b/Source/charon/sa/states/ike_sa_init_responded.c
@@ -30,6 +30,7 @@
#include <encoding/payloads/auth_payload.h>
#include <transforms/signers/signer.h>
#include <transforms/crypters/crypter.h>
+#include <sa/states/ike_sa_established.h>
typedef struct private_ike_sa_init_responded_t private_ike_sa_init_responded_t;
@@ -45,27 +46,14 @@ struct private_ike_sa_init_responded_t {
ike_sa_init_responded_t public;
/**
- * Shared secret from DH-Exchange
- *
- * All needed secrets are derived from this shared secret and then passed to the next
- * state of type ike_sa_established_t
- */
- chunk_t shared_secret;
-
- /**
- * Sent nonce used to calculate secrets
- */
- chunk_t received_nonce;
-
- /**
- * Sent nonce used to calculate secrets
+ * Assigned IKE_SA
*/
- chunk_t sent_nonce;
+ protected_ike_sa_t *ike_sa;
/**
- * Assigned IKE_SA
+ * sa config to use
*/
- protected_ike_sa_t *ike_sa;
+ sa_config_t *sa_config;
/**
* Logger used to log data
@@ -73,24 +61,31 @@ struct private_ike_sa_init_responded_t {
* Is logger of ike_sa!
*/
logger_t *logger;
+
+ status_t (*build_idr_payload) (private_ike_sa_init_responded_t *this, id_payload_t *request_idi, id_payload_t *request_idr, message_t *response);
+ status_t (*build_sa_payload) (private_ike_sa_init_responded_t *this, sa_payload_t *request, message_t *response);
+ status_t (*build_auth_payload) (private_ike_sa_init_responded_t *this, auth_payload_t *request, message_t *response);
+ status_t (*build_ts_payload) (private_ike_sa_init_responded_t *this, bool ts_initiator, ts_payload_t *request, message_t *response);
};
/**
* Implements state_t.get_state
*/
-static status_t process_message(private_ike_sa_init_responded_t *this, message_t *message)
+static status_t process_message(private_ike_sa_init_responded_t *this, message_t *request)
{
status_t status;
signer_t *signer;
crypter_t *crypter;
iterator_t *payloads;
exchange_type_t exchange_type;
- id_payload_t *idi_payload, *idr_payload;
- auth_payload_t *auth_payload;
- sa_payload_t *sa_payload;
- ts_payload_t *tsi_payload, *tsr_payload;
+ id_payload_t *idi_request, *idr_request = NULL;
+ auth_payload_t *auth_request;
+ sa_payload_t *sa_request;
+ ts_payload_t *tsi_request, *tsr_request;
+ message_t *response;
+ packet_t *response_packet;
- exchange_type = message->get_exchange_type(message);
+ exchange_type = request->get_exchange_type(request);
if (exchange_type != IKE_AUTH)
{
this->logger->log(this->logger, ERROR | MORE, "Message of type %s not supported in state ike_sa_init_responded",
@@ -98,7 +93,7 @@ static status_t process_message(private_ike_sa_init_responded_t *this, message_t
return FAILED;
}
- if (!message->get_request(message))
+ if (!request->get_request(request))
{
this->logger->log(this->logger, ERROR | MORE, "Only requests of type IKE_AUTH supported in state ike_sa_init_responded");
return FAILED;
@@ -110,7 +105,7 @@ static status_t process_message(private_ike_sa_init_responded_t *this, message_t
/* parse incoming message */
- status = message->parse_body(message, crypter, signer);
+ status = request->parse_body(request, crypter, signer);
if (status != SUCCESS)
{
this->logger->log(this->logger, ERROR | MORE, "Could not parse body of request message");
@@ -118,7 +113,7 @@ static status_t process_message(private_ike_sa_init_responded_t *this, message_t
}
/* iterate over incoming payloads. Message is verified, we can be sure there are the required payloads */
- payloads = message->get_payload_iterator(message);
+ payloads = request->get_payload_iterator(request);
while (payloads->has_next(payloads))
{
payload_t *payload;
@@ -128,22 +123,22 @@ static status_t process_message(private_ike_sa_init_responded_t *this, message_t
{
case ID_INITIATOR:
{
- idi_payload = (id_payload_t*)payload;
+ idi_request = (id_payload_t*)payload;
break;
}
case AUTHENTICATION:
{
- auth_payload = (auth_payload_t*)payload;
+ auth_request = (auth_payload_t*)payload;
break;
}
case ID_RESPONDER:
{
- /* TODO handle idr payloads */
+ idr_request = (id_payload_t*)payload;
break;
}
case SECURITY_ASSOCIATION:
{
- sa_payload = (sa_payload_t*)payload;
+ sa_request = (sa_payload_t*)payload;
break;
}
case CERTIFICATE:
@@ -158,17 +153,17 @@ static status_t process_message(private_ike_sa_init_responded_t *this, message_t
}
case TRAFFIC_SELECTOR_INITIATOR:
{
- tsi_payload = (ts_payload_t*)payload;
+ tsi_request = (ts_payload_t*)payload;
break;
}
case TRAFFIC_SELECTOR_RESPONDER:
{
- tsr_payload = (ts_payload_t*)payload;
+ tsr_request = (ts_payload_t*)payload;
break;
}
default:
{
- /* can't happen, since message is verified */
+ /* can't happen, since message is verified, notify's? */
break;
}
}
@@ -176,69 +171,226 @@ static status_t process_message(private_ike_sa_init_responded_t *this, message_t
/* iterator can be destroyed */
payloads->destroy(payloads);
+ /* build response */
+ this->ike_sa->build_message(this->ike_sa, IKE_AUTH, FALSE, &response);
- /*
- * ID Payload
- */
- this->logger->log(this->logger, CONTROL|MOST, "type of IDi is %s",
- mapping_find(id_type_m, idi_payload->get_id_type(idi_payload)));
- chunk_t data = idi_payload->get_data(idi_payload);
-
- this->logger->log(this->logger, CONTROL|MOST, "data of IDi is %s",
- data.ptr);
-
-// charon->configuration_manager->get_my_default_id(charon->configuration_manager, id
-//
-//
-//
-//
-// this->logger->log(this->logger, CONTROL|MOST, "type of AUTH is %s",
-// mapping_find(auth_method_m, auth_payload->get_auth_method(auth_payload)));
-//
-// /* get the list of suggested proposals */
-// suggested_proposals = sa_payload->create_proposal_substructure_iterator(sa_payload, TRUE);
-//
-// /* now let the configuration-manager select a subset of the proposals */
-// status = charon->configuration_manager->select_proposals_for_host(charon->configuration_manager,
-// this->ike_sa->get_other_host(this->ike_sa), suggested_proposals, accepted_proposals);
-//
-
-// iterator = tsi_payload->create_traffic_selector_substructure_iterator(tsi_payload, TRUE);
-// while (iterator->has_next(iterator))
-// {
-// traffic_selector_substructure_t *ts;
-// iterator->current(iterator, (void**)ts);
-// this->logger->log(this->logger, CONTROL|MOST, "type of TSi is %s",
-// mapping_find(ts_type_m, ts->get_ts_type(ts)));
-//
-// }
-// iterator->destroy(iterator);
-//
-// iterator = tsr_payload->create_traffic_selector_substructure_iterator(tsr_payload, TRUE);
-// while (iterator->has_next(iterator))
-// {
-// traffic_selector_substructure_t *ts;
-// iterator->current(iterator, (void**)ts);
-// this->logger->log(this->logger, CONTROL|MOST, "type of TSr is %s",
-// mapping_find(ts_type_m, ts->get_ts_type(ts)));
-//
-// }
-// iterator->destroy(iterator);
-
-
-
- this->logger->log(this->logger, CONTROL | MORE, "Request successfully handled. Going to create reply.");
+ /* add payloads to it */
+ status = this->build_idr_payload(this, idi_request, idr_request, response);
+ if (status != SUCCESS)
+ {
+ this->logger->log(this->logger, ERROR, "Building idr payload failed");
+ response->destroy(response);
+ return status;
+ }
+ status = this->build_sa_payload(this, sa_request, response);
+ if (status != SUCCESS)
+ {
+ this->logger->log(this->logger, ERROR, "Building sa payload failed");
+ response->destroy(response);
+ return status;
+ }
+ status = this->build_auth_payload(this, auth_request, response);
+ if (status != SUCCESS)
+ {
+ this->logger->log(this->logger, ERROR, "Building auth payload failed");
+ response->destroy(response);
+ return status;
+ }
+ status = this->build_ts_payload(this, TRUE, tsi_request, response);
+ if (status != SUCCESS)
+ {
+ this->logger->log(this->logger, ERROR, "Building tsi payload failed");
+ response->destroy(response);
+ return status;
+ }
+ status = this->build_ts_payload(this, FALSE, tsr_request, response);
+ if (status != SUCCESS)
+ {
+ this->logger->log(this->logger, ERROR, "Building tsr payload failed");
+ response->destroy(response);
+ return status;
+ }
+
+ /* generate response, get transfroms first */
+ signer = this->ike_sa->get_signer_responder(this->ike_sa);
+ crypter = this->ike_sa->get_crypter_responder(this->ike_sa);
+ status = response->generate(response, crypter, signer, &response_packet);
+ if (status != SUCCESS)
+ {
+ this->logger->log(this->logger, ERROR, "Error in message generation");
+ response->destroy(response);
+ return status;
+ }
+
+
+ /* send it out */
+ this->logger->log(this->logger, CONTROL | MORE, "IKE_AUTH request successfully handled. Sending reply.");
+ charon->send_queue->add(charon->send_queue, response_packet);
+ /* store for timeout reply */
+ this->ike_sa->set_last_responded_message(this->ike_sa, response);
+
+ /* create new state */
+ this->ike_sa->set_new_state(this->ike_sa, (state_t*)ike_sa_established_create(this->ike_sa));
+
return SUCCESS;
}
-
-static status_t build_id_payload(private_ike_sa_init_responded_t *this, id_payload_t *id_payload)
+/**
+ * Implements private_ike_sa_init_responded_t.build_idr_payload
+ */
+static status_t build_idr_payload(private_ike_sa_init_responded_t *this, id_payload_t *request_idi, id_payload_t *request_idr, message_t *response)
{
+ identification_t *other_id, *my_id = NULL;
+ init_config_t *init_config;
+ status_t status;
+ id_payload_t *idr_response;
+
+ other_id = request_idi->get_identification(request_idi);
+ if (request_idr)
+ {
+ my_id = request_idr->get_identification(request_idr);
+ }
+
+ /* build new sa config */
+ init_config = this->ike_sa->get_init_config(this->ike_sa);
+ status = charon->configuration_manager->get_sa_config_for_init_config_and_id(charon->configuration_manager,init_config, other_id,my_id, &(this->sa_config));
+ if (status != SUCCESS)
+ {
+ this->logger->log(this->logger, ERROR, "Could not find config for %s", other_id->get_string(other_id));
+ return NOT_FOUND;
+ }
+
+ /* set sa_config in ike_sa for other states */
+ this->ike_sa->set_sa_config(this->ike_sa, this->sa_config);
+
+ /* build response */
+ idr_response = id_payload_create_from_identification(FALSE, other_id);
+ response->add_payload(response, (payload_t*)idr_response);
+
+ if (my_id)
+ {
+ my_id->destroy(my_id);
+ }
+ other_id->destroy(other_id);
+
return SUCCESS;
}
/**
+ * Implements private_ike_sa_init_responded_t.build_sa_payload
+ */
+static status_t build_sa_payload(private_ike_sa_init_responded_t *this, sa_payload_t *request, message_t *response)
+{
+ child_proposal_t *proposals, *proposal_chosen;
+ size_t proposal_count;
+ status_t status;
+ sa_payload_t *sa_response;
+
+ /* dummy spis, until we have a child sa to request them */
+ u_int8_t ah_spi[4] = {0x01, 0x02, 0x03, 0x04};
+ u_int8_t esp_spi[4] = {0x05, 0x06, 0x07, 0x08};
+
+ status = request->get_child_proposals(request, &proposals, &proposal_count);
+ if (status == SUCCESS)
+ {
+ proposal_chosen = this->sa_config->select_proposal(this->sa_config, ah_spi, esp_spi, proposals, proposal_count);
+ if (proposal_chosen != NULL)
+ {
+ sa_response = sa_payload_create_from_child_proposals(proposal_chosen, 1);
+ response->add_payload(response, (payload_t*)sa_response);
+ }
+ else
+ {
+ this->logger->log(this->logger, ERROR, "no matching proposal found");
+ status = NOT_FOUND;
+ }
+ }
+ else
+ {
+ this->logger->log(this->logger, ERROR, "requestor's sa payload contained no proposals");
+ status = NOT_FOUND;
+ }
+
+
+ allocator_free(proposal_chosen);
+ allocator_free(proposals);
+
+
+ return status;
+}
+
+/**
+ * Implements private_ike_sa_init_responded_t.build_auth_payload
+ */
+static status_t build_auth_payload(private_ike_sa_init_responded_t *this, auth_payload_t *request, message_t *response)
+{
+ auth_payload_t *dummy;
+ u_int8_t data[] = {0x01,0x03,0x01,0x03,0x01,0x03,0x01,0x03,0x01,0x03,0x01,0x03,0x01,0x03,0x01,0x03};
+ chunk_t auth_data;
+ auth_data.ptr = data;
+ auth_data.len = sizeof(data);
+
+ /* TODO VERIFY auth here */
+
+ dummy = auth_payload_create();
+ dummy->set_data(dummy, auth_data);
+ dummy->set_auth_method(dummy, RSA_DIGITAL_SIGNATURE);
+
+ /* TODO replace dummy */
+
+ response->add_payload(response, (payload_t *)dummy);
+ return SUCCESS;
+}
+
+/**
+ * Implements private_ike_sa_init_responded_t.build_ts_payload
+ */
+static status_t build_ts_payload(private_ike_sa_init_responded_t *this, bool ts_initiator, ts_payload_t *request, message_t* response)
+{
+ traffic_selector_t **ts_received, **ts_selected;
+ size_t ts_received_count, ts_selected_count;
+ status_t status = SUCCESS;
+ ts_payload_t *ts_response;
+
+ /* build a reply payload with selected traffic selectors */
+ ts_received_count = request->get_traffic_selectors(request, &ts_received);
+ /* select ts depending on payload type */
+ if (ts_initiator)
+ {
+ ts_selected_count = this->sa_config->select_traffic_selectors_initiator(this->sa_config, ts_received, ts_received_count, &ts_selected);
+ }
+ else
+ {
+ ts_selected_count = this->sa_config->select_traffic_selectors_responder(this->sa_config, ts_received, ts_received_count, &ts_selected);
+ }
+ if(ts_selected_count == 0)
+ {
+ status = NOT_FOUND;
+ }
+ else
+ {
+ ts_response = ts_payload_create_from_traffic_selectors(FALSE, ts_selected, ts_selected_count);
+ response->add_payload(response, (payload_t*)ts_response);
+ }
+
+ /* cleanup */
+ while(ts_received_count--)
+ {
+ traffic_selector_t *ts = *ts_received + ts_received_count;
+ ts->destroy(ts);
+ }
+ allocator_free(ts_received);
+ while(ts_selected_count--)
+ {
+ traffic_selector_t *ts = *ts_selected + ts_selected_count;
+ ts->destroy(ts);
+ }
+ allocator_free(ts_selected);
+ return status;
+}
+
+/**
* Implements state_t.get_state
*/
static ike_sa_state_t get_state(private_ike_sa_init_responded_t *this)
@@ -253,14 +405,7 @@ static void destroy(private_ike_sa_init_responded_t *this)
{
this->logger->log(this->logger, CONTROL | MORE, "Going to destroy ike_sa_init_responded_t state object");
- this->logger->log(this->logger, CONTROL | MOST, "Destroy shared_secret");
- allocator_free(this->shared_secret.ptr);
-
- this->logger->log(this->logger, CONTROL | MOST, "Destroy sent nonce");
- allocator_free(this->sent_nonce.ptr);
-
- this->logger->log(this->logger, CONTROL | MOST, "Destroy received nonce");
- allocator_free(this->received_nonce.ptr);
+ charon->logger_manager->destroy_logger(charon->logger_manager, this->logger);
allocator_free(this);
}
@@ -268,8 +413,7 @@ static void destroy(private_ike_sa_init_responded_t *this)
/*
* Described in header.
*/
-
-ike_sa_init_responded_t *ike_sa_init_responded_create(protected_ike_sa_t *ike_sa, chunk_t shared_secret, chunk_t received_nonce, chunk_t sent_nonce)
+ike_sa_init_responded_t *ike_sa_init_responded_create(protected_ike_sa_t *ike_sa)
{
private_ike_sa_init_responded_t *this = allocator_alloc_thing(private_ike_sa_init_responded_t);
@@ -278,12 +422,15 @@ ike_sa_init_responded_t *ike_sa_init_responded_create(protected_ike_sa_t *ike_sa
this->public.state_interface.get_state = (ike_sa_state_t (*) (state_t *)) get_state;
this->public.state_interface.destroy = (void (*) (state_t *)) destroy;
+ /* private functions */
+ this->build_idr_payload = build_idr_payload;
+ this->build_sa_payload = build_sa_payload;
+ this->build_auth_payload = build_auth_payload;
+ this->build_ts_payload = build_ts_payload;
+
/* private data */
this->ike_sa = ike_sa;
this->logger = this->ike_sa->get_logger(this->ike_sa);
- this->shared_secret = shared_secret;
- this->received_nonce = received_nonce;
- this->sent_nonce = sent_nonce;
return &(this->public);
}
diff --git a/Source/charon/sa/states/ike_sa_init_responded.h b/Source/charon/sa/states/ike_sa_init_responded.h
index aa07f76b9..e65c4e5e5 100644
--- a/Source/charon/sa/states/ike_sa_init_responded.h
+++ b/Source/charon/sa/states/ike_sa_init_responded.h
@@ -50,6 +50,6 @@ struct ike_sa_init_responded_t {
*
* @ingroup states
*/
-ike_sa_init_responded_t *ike_sa_init_responded_create(protected_ike_sa_t *ike_sa, chunk_t shared_secret, chunk_t received_nonce, chunk_t sent_nonce);
+ike_sa_init_responded_t *ike_sa_init_responded_create(protected_ike_sa_t *ike_sa);
#endif /*IKE_SA_INIT_RESPONDED_H_*/
diff --git a/Source/charon/sa/states/responder_init.c b/Source/charon/sa/states/responder_init.c
index ee9584e2c..3c03adf41 100644
--- a/Source/charon/sa/states/responder_init.c
+++ b/Source/charon/sa/states/responder_init.c
@@ -361,7 +361,7 @@ static status_t process_message(private_responder_init_t *this, message_t *messa
/* state can now be changed */
this->logger->log(this->logger, CONTROL|MOST, "Create next state object");
- next_state = ike_sa_init_responded_create(this->ike_sa, shared_secret, this->received_nonce, this->sent_nonce);
+ next_state = ike_sa_init_responded_create(this->ike_sa);
/* last message can now be set */
status = this->ike_sa->set_last_responded_message(this->ike_sa, response);
generated by cgit v1.2.3 (git 2.25.1) at 2025-07-23 14:36:19 +0000