aboutsummaryrefslogtreecommitdiffstats
path: root/Source/charon/sa
diff options
context:
space:
mode:
Diffstat (limited to 'Source/charon/sa')
-rw-r--r--Source/charon/sa/authenticator.c32
-rw-r--r--Source/charon/sa/authenticator.h7
-rw-r--r--Source/charon/sa/states/ike_auth_requested.c31
-rw-r--r--Source/charon/sa/states/ike_sa_init_requested.c8
-rw-r--r--Source/charon/sa/states/ike_sa_init_responded.c106
-rw-r--r--Source/charon/sa/states/initiator_init.c5
-rw-r--r--Source/charon/sa/states/responder_init.c29
7 files changed, 171 insertions, 47 deletions
diff --git a/Source/charon/sa/authenticator.c b/Source/charon/sa/authenticator.c
index af4f3c774..e298d1fa0 100644
--- a/Source/charon/sa/authenticator.c
+++ b/Source/charon/sa/authenticator.c
@@ -102,7 +102,12 @@ static chunk_t allocate_octets(private_authenticator_t *this,chunk_t last_messag
{
chunk_t id_chunk = my_id->get_data(my_id);
u_int8_t id_with_header[4 + id_chunk.len];
- chunk_t id_with_header_chunk = {ptr:id_with_header, len: sizeof(id_with_header) };
+ /*
+ * IKEv2 for linux is not compatible with IKEv2 Draft and so not compatible with this
+ * implementation, cause AUTH data are computed without
+ * ID type and the three reserved bytes.
+ */
+ chunk_t id_with_header_chunk = {ptr:id_with_header, len: sizeof(id_with_header)};
u_int8_t *current_pos;
chunk_t octets;
@@ -123,6 +128,7 @@ static chunk_t allocate_octets(private_authenticator_t *this,chunk_t last_messag
{
this->prf->set_key(this->prf,this->ike_sa->get_key_pr(this->ike_sa));
}
+
/* 4 bytes are id type and reserved fields of id payload */
octets.len = last_message.len + other_nonce.len + this->prf->get_block_size(this->prf);
@@ -167,13 +173,12 @@ static chunk_t allocate_auth_data_with_preshared_secret (private_authenticator_t
/**
* Implementation of authenticator_t.verify_auth_data.
*/
-static status_t verify_auth_data (private_authenticator_t *this,auth_payload_t *auth_payload, chunk_t last_received_packet,chunk_t my_nonce,id_payload_t *other_id_payload,bool initiator,bool *verified)
+static status_t verify_auth_data (private_authenticator_t *this,auth_payload_t *auth_payload, chunk_t last_received_packet,chunk_t my_nonce,id_payload_t *other_id_payload,bool initiator)
{
switch(auth_payload->get_auth_method(auth_payload))
{
case SHARED_KEY_MESSAGE_INTEGRITY_CODE:
{
-
identification_t *other_id = other_id_payload->get_identification(other_id_payload);
chunk_t auth_data = auth_payload->get_data(auth_payload);
chunk_t preshared_secret;
@@ -190,20 +195,19 @@ static status_t verify_auth_data (private_authenticator_t *this,auth_payload_t *
if (auth_data.len != my_auth_data.len)
{
- *verified = FALSE;
allocator_free_chunk(&my_auth_data);
- return SUCCESS;
+ return FAILED;
}
if (memcmp(auth_data.ptr,my_auth_data.ptr,my_auth_data.len) == 0)
{
- *verified = TRUE;
+ status = SUCCESS;
}
else
{
- *verified = FALSE;
+ status = FAILED;
}
- allocator_free_chunk(&my_auth_data);
- return SUCCESS;
+ allocator_free_chunk(&my_auth_data);
+ return status;
}
case RSA_DIGITAL_SIGNATURE:
{
@@ -224,14 +228,6 @@ static status_t verify_auth_data (private_authenticator_t *this,auth_payload_t *
octets = this->allocate_octets(this,last_received_packet,my_nonce,other_id_payload,initiator);
status = public_key->verify_emsa_pkcs1_signature(public_key, octets, auth_data);
- if (status == SUCCESS)
- {
- *verified = TRUE;
- }
- else
- {
- *verified = FALSE;
- }
allocator_free_chunk(&octets);
return status;
@@ -329,7 +325,7 @@ authenticator_t *authenticator_create(protected_ike_sa_t *ike_sa)
/* Public functions */
this->public.destroy = (void(*)(authenticator_t*))destroy;
- this->public.verify_auth_data = (status_t (*) (authenticator_t *,auth_payload_t *, chunk_t ,chunk_t ,id_payload_t *,bool,bool *)) verify_auth_data;
+ this->public.verify_auth_data = (status_t (*) (authenticator_t *,auth_payload_t *, chunk_t ,chunk_t ,id_payload_t *,bool)) verify_auth_data;
this->public.compute_auth_data = (status_t (*) (authenticator_t *,auth_payload_t **, chunk_t ,chunk_t ,id_payload_t *,bool)) compute_auth_data;
/* private functions */
diff --git a/Source/charon/sa/authenticator.h b/Source/charon/sa/authenticator.h
index dc0319191..64cb1d602 100644
--- a/Source/charon/sa/authenticator.h
+++ b/Source/charon/sa/authenticator.h
@@ -60,12 +60,10 @@ struct authenticator_t {
* @param my_nonce The sent nonce (without payload header)
* @param other_id_payload The ID payload received from other peer
* @param initiator Type of other peer. TRUE, if it is original initiator, FALSE otherwise
- * @param[out] verified
- * - TRUE, if verification succeeded
- * - FALSE, if verification data could not be verified
*
* @return
* - SUCCESS if verification could be processed (does not mean the data could be verified)
+ * - FAILED if verification failed
* - NOT_SUPPORTED if AUTH method not supported
* - NOT_FOUND if the data for specific AUTH method could not be found (e.g. shared secret, rsa key)
* - TODO rsa errors!!
@@ -75,8 +73,7 @@ struct authenticator_t {
chunk_t last_received_packet,
chunk_t my_nonce,
id_payload_t *other_id_payload,
- bool initiator,
- bool *verified);
+ bool initiator);
/**
* @brief Computes authentication data and creates specific AUTH payload.
diff --git a/Source/charon/sa/states/ike_auth_requested.c b/Source/charon/sa/states/ike_auth_requested.c
index 041185ca2..7e01fcf61 100644
--- a/Source/charon/sa/states/ike_auth_requested.c
+++ b/Source/charon/sa/states/ike_auth_requested.c
@@ -194,13 +194,33 @@ static status_t process_message(private_ike_auth_requested_t *this, message_t *i
if (notify_payload->get_protocol_id(notify_payload) != IKE)
{
- this->logger->log(this->logger, ERROR | MORE, "Notify reply not for IKE protocol.");
+ this->logger->log(this->logger, ERROR | MORE, "Notify reply not for IKE protocol");
payloads->destroy(payloads);
return FAILED;
}
switch (notify_payload->get_notify_message_type(notify_payload))
{
+ case INVALID_SYNTAX:
+ {
+ this->logger->log(this->logger, ERROR, "Going to destroy IKE_SA");
+ payloads->destroy(payloads);
+ return DELETE_ME;
+
+ }
+ case AUTHENTICATION_FAILED:
+ {
+ this->logger->log(this->logger, ERROR, "Keys invalid?. Going to destroy IKE_SA");
+ payloads->destroy(payloads);
+ return DELETE_ME;
+
+ }
+ case SINGLE_PAIR_REQUIRED:
+ {
+ this->logger->log(this->logger, ERROR, "Please reconfigure CHILD_SA. Going to destroy IKE_SA");
+ payloads->destroy(payloads);
+ return DELETE_ME;
+ }
default:
{
/*
@@ -348,12 +368,11 @@ static status_t process_auth_payload(private_ike_auth_requested_t *this, auth_pa
{
authenticator_t *authenticator;
status_t status;
- bool verified;
/* TODO VERIFY auth here */
authenticator = authenticator_create(this->ike_sa);
- status = authenticator->verify_auth_data(authenticator,auth_payload,this->ike_sa_init_reply_data,this->sent_nonce,other_id_payload,FALSE,&verified);
+ status = authenticator->verify_auth_data(authenticator,auth_payload,this->ike_sa_init_reply_data,this->sent_nonce,other_id_payload,FALSE);
authenticator->destroy(authenticator);
if (status != SUCCESS)
{
@@ -361,12 +380,6 @@ static status_t process_auth_payload(private_ike_auth_requested_t *this, auth_pa
return FAILED;
}
- if (!verified)
- {
- this->logger->log(this->logger, ERROR | MORE, "AUTH data could not be verified");
- return FAILED;
- }
-
this->logger->log(this->logger, CONTROL | MORE, "AUTH data verified");
return SUCCESS;
}
diff --git a/Source/charon/sa/states/ike_sa_init_requested.c b/Source/charon/sa/states/ike_sa_init_requested.c
index 967aebb2b..b5571acb9 100644
--- a/Source/charon/sa/states/ike_sa_init_requested.c
+++ b/Source/charon/sa/states/ike_sa_init_requested.c
@@ -251,10 +251,16 @@ static status_t process_message(private_ike_sa_init_requested_t *this, message_t
{
case NO_PROPOSAL_CHOSEN:
{
- this->logger->log(this->logger, ERROR, "Peer didn't choose a proposal!!!");
+ this->logger->log(this->logger, ERROR, "Peer didn't choose a proposal!");
payloads->destroy(payloads);
return DELETE_ME;
}
+ case INVALID_MAJOR_VERSION:
+ {
+ this->logger->log(this->logger, ERROR, "Peer doesn't support IKEv2!");
+ payloads->destroy(payloads);
+ return DELETE_ME;
+ }
case INVALID_KE_PAYLOAD:
{
initiator_init_t *initiator_init_state;
diff --git a/Source/charon/sa/states/ike_sa_init_responded.c b/Source/charon/sa/states/ike_sa_init_responded.c
index 1dd16f669..732c5cc23 100644
--- a/Source/charon/sa/states/ike_sa_init_responded.c
+++ b/Source/charon/sa/states/ike_sa_init_responded.c
@@ -29,6 +29,7 @@
#include <encoding/payloads/sa_payload.h>
#include <encoding/payloads/id_payload.h>
#include <encoding/payloads/auth_payload.h>
+#include <encoding/payloads/notify_payload.h>
#include <transforms/signers/signer.h>
#include <transforms/crypters/crypter.h>
#include <sa/states/ike_sa_established.h>
@@ -87,6 +88,15 @@ struct private_ike_sa_init_responded_t {
status_t (*build_sa_payload) (private_ike_sa_init_responded_t *this, sa_payload_t *request, message_t *response);
status_t (*build_auth_payload) (private_ike_sa_init_responded_t *this, auth_payload_t *request,id_payload_t *other_id_payload,id_payload_t *my_id_payload, message_t* response);
status_t (*build_ts_payload) (private_ike_sa_init_responded_t *this, bool ts_initiator, ts_payload_t *request, message_t *response);
+
+ /**
+ * Sends a IKE_AUTH reply with a notify payload.
+ *
+ * @param this calling object
+ * @param type type of notify message
+ * @param data data of notify message
+ */
+ void (*send_notify_reply) (private_ike_sa_init_responded_t *this,notify_message_type_t type, chunk_t data);
};
/**
@@ -103,6 +113,7 @@ static status_t process_message(private_ike_sa_init_responded_t *this, message_t
auth_payload_t *auth_request;
sa_payload_t *sa_request;
ts_payload_t *tsi_request, *tsr_request;
+ notify_payload_t *notify_payload = NULL;
message_t *response;
exchange_type = request->get_exchange_type(request);
@@ -181,17 +192,54 @@ static status_t process_message(private_ike_sa_init_responded_t *this, message_t
tsr_request = (ts_payload_t*)payload;
break;
}
+ case NOTIFY:
+ {
+ notify_payload = (notify_payload_t *) payload;
+ break;
+ }
default:
{
this->logger->log(this->logger, ERROR, "Payload type %s not supported in state ike_auth_requested!", mapping_find(payload_type_m, payload->get_type(payload)));
payloads->destroy(payloads);
- return FAILED;
+ return DELETE_ME;
}
}
}
/* iterator can be destroyed */
payloads->destroy(payloads);
+
+ if (notify_payload != NULL)
+ {
+ this->logger->log(this->logger, CONTROL|MORE, "Process notify type %s for protocol %s",
+ mapping_find(notify_message_type_m, notify_payload->get_notify_message_type(notify_payload)),
+ mapping_find(protocol_id_m, notify_payload->get_protocol_id(notify_payload)));
+
+ if (notify_payload->get_protocol_id(notify_payload) != IKE)
+ {
+ this->logger->log(this->logger, ERROR | MORE, "Notify not for IKE protocol.");
+ payloads->destroy(payloads);
+ return DELETE_ME;
+ }
+ switch (notify_payload->get_notify_message_type(notify_payload))
+ {
+ case SET_WINDOW_SIZE:
+ /*
+ * TODO Increase window size.
+ */
+ case INITIAL_CONTACT:
+ /*
+ * TODO Delete existing IKE_SA's with other Identity.
+ */
+ default:
+ {
+ this->logger->log(this->logger, CONTROL|MORE, "Handling of notify type %s not implemented",
+ notify_payload->get_notify_message_type(notify_payload));
+ }
+ }
+ }
+
+
/* build response */
this->ike_sa->build_message(this->ike_sa, IKE_AUTH, FALSE, &response);
@@ -351,25 +399,24 @@ static status_t build_auth_payload(private_ike_sa_init_responded_t *this, auth_p
authenticator_t *authenticator;
auth_payload_t *auth_reply;
status_t status;
- bool verified;
authenticator = authenticator_create(this->ike_sa);
- status = authenticator->verify_auth_data(authenticator,auth_request, this->ike_sa_init_request_data,this->sent_nonce,other_id_payload,TRUE,&verified);
-
+ status = authenticator->verify_auth_data(authenticator,auth_request, this->ike_sa_init_request_data,this->sent_nonce,other_id_payload,TRUE);
+
if (status != SUCCESS)
{
this->logger->log(this->logger, ERROR, "Verification of AUTH payload returned status %s",mapping_find(status_m,status));
authenticator->destroy(authenticator);
+ /*
+ * Send notify message of type AUTHENTICATION_FAILED
+ */
+ this->logger->log(this->logger, CONTROL | MORE, "Send notify message of type AUTHENTICATION_FAILED");
+ this->send_notify_reply (this,AUTHENTICATION_FAILED,CHUNK_INITIALIZER);
return status;
}
- if (!verified)
- {
- this->logger->log(this->logger, ERROR, "Verification of AUTH failed.");
- authenticator->destroy(authenticator);
- return FAILED;
- }
+
status = authenticator->compute_auth_data(authenticator,&auth_reply, this->ike_sa_init_response_data,this->received_nonce,my_id_payload,FALSE);
authenticator->destroy(authenticator);
@@ -432,6 +479,44 @@ static status_t build_ts_payload(private_ike_sa_init_responded_t *this, bool ts_
}
/**
+ * Implementation of private_responder_init_t.send_notify_reply.
+ */
+static void send_notify_reply (private_ike_sa_init_responded_t *this,notify_message_type_t type, chunk_t data)
+{
+ notify_payload_t *payload;
+ message_t *response;
+ packet_t *packet;
+ status_t status;
+
+ this->logger->log(this->logger, CONTROL|MOST, "Going to build message with notify payload");
+ /* set up the reply */
+ this->ike_sa->build_message(this->ike_sa, IKE_AUTH, FALSE, &response);
+ payload = notify_payload_create_from_protocol_and_type(IKE,type);
+ if ((data.ptr != NULL) && (data.len > 0))
+ {
+ this->logger->log(this->logger, CONTROL|MOST, "Add Data to notify payload");
+ payload->set_notification_data(payload,data);
+ }
+
+ this->logger->log(this->logger, CONTROL|MOST, "Add Notify payload to message");
+ response->add_payload(response,(payload_t *) payload);
+
+ /* generate packet */
+ this->logger->log(this->logger, CONTROL|MOST, "Gnerate packet from message");
+ status = response->generate(response, NULL, NULL, &packet);
+ if (status != SUCCESS)
+ {
+ this->logger->log(this->logger, ERROR, "Could not generate packet from message");
+ return;
+ }
+
+ this->logger->log(this->logger, CONTROL|MOST, "Add packet to global send queue");
+ charon->send_queue->add(charon->send_queue, packet);
+ this->logger->log(this->logger, CONTROL|MOST, "Destroy message");
+ response->destroy(response);
+}
+
+/**
* Implements state_t.get_state
*/
static ike_sa_state_t get_state(private_ike_sa_init_responded_t *this)
@@ -475,6 +560,7 @@ ike_sa_init_responded_t *ike_sa_init_responded_create(protected_ike_sa_t *ike_sa
this->build_sa_payload = build_sa_payload;
this->build_auth_payload = build_auth_payload;
this->build_ts_payload = build_ts_payload;
+ this->send_notify_reply = send_notify_reply;
/* private data */
this->ike_sa = ike_sa;
diff --git a/Source/charon/sa/states/initiator_init.c b/Source/charon/sa/states/initiator_init.c
index e0a6092ed..a9ec179e2 100644
--- a/Source/charon/sa/states/initiator_init.c
+++ b/Source/charon/sa/states/initiator_init.c
@@ -117,7 +117,8 @@ struct private_initiator_init_t {
void (*build_nonce_payload) (private_initiator_init_t *this, payload_t **payload);
/**
- * Destroy function called internally of this class after state change succeeded.
+ * Destroy function called internally of this class after state change to state
+ * IKE_SA_INIT_REQUESTED succeeded.
*
* This destroy function does not destroy objects which were passed to the new state.
*
@@ -164,7 +165,7 @@ static status_t initiate_connection (private_initiator_init_t *this, char *name)
this->dh_group_number = init_config->get_dh_group_number(init_config,this->dh_group_priority);
if (this->dh_group_number == MODP_UNDEFINED)
{
- this->logger->log(this->logger, ERROR | MORE, "Diffie hellman group could not be retrieved with priority %d", this->dh_group_priority);
+ this->logger->log(this->logger, ERROR | MORE, "Diffie hellman group could not be retrieved with priority %d", this->dh_group_priority);
return DELETE_ME;
}
diff --git a/Source/charon/sa/states/responder_init.c b/Source/charon/sa/states/responder_init.c
index e112f421a..5526a0e47 100644
--- a/Source/charon/sa/states/responder_init.c
+++ b/Source/charon/sa/states/responder_init.c
@@ -189,6 +189,7 @@ static status_t process_message(private_responder_init_t *this, message_t *messa
{
/* no configuration matches given host */
this->logger->log(this->logger, ERROR | MORE, "No INIT configuration found for given remote and local hosts");
+
return DELETE_ME;
}
@@ -243,7 +244,7 @@ static status_t process_message(private_responder_init_t *this, message_t *messa
{
this->logger->log(this->logger, ERROR | MORE, "No proposal of suggested proposals selected");
payloads->destroy(payloads);
- this->send_notify_reply(this,NO_PROPOSAL_CHOSEN,CHUNK_INITIALIZER);
+ this->send_notify_reply(this,NO_PROPOSAL_CHOSEN,CHUNK_INITIALIZER);
return DELETE_ME;
}
@@ -258,7 +259,6 @@ static status_t process_message(private_responder_init_t *this, message_t *messa
}
this->logger->log(this->logger, CONTROL | MORE, "SA Payload processed");
- /* ok, we have what we need for sa_payload (proposals are stored in this->proposals)*/
break;
}
case KEY_EXCHANGE:
@@ -321,6 +321,31 @@ static status_t process_message(private_responder_init_t *this, message_t *messa
this->logger->log(this->logger, CONTROL | MORE, "Nonce Payload processed");
break;
}
+ case NOTIFY:
+ {
+ notify_payload_t *notify_payload = (notify_payload_t *) payload;
+
+
+ this->logger->log(this->logger, CONTROL|MORE, "Process notify type %s for protocol %s",
+ mapping_find(notify_message_type_m, notify_payload->get_notify_message_type(notify_payload)),
+ mapping_find(protocol_id_m, notify_payload->get_protocol_id(notify_payload)));
+
+ if (notify_payload->get_protocol_id(notify_payload) != IKE)
+ {
+ this->logger->log(this->logger, ERROR | MORE, "Notify not for IKE protocol.");
+ payloads->destroy(payloads);
+ return FAILED;
+ }
+ switch (notify_payload->get_notify_message_type(notify_payload))
+ {
+ default:
+ {
+ this->logger->log(this->logger, CONTROL|MORE, "Processing of notify type %s not yet implemented",
+ mapping_find(notify_message_type_m, notify_payload->get_notify_message_type(notify_payload)));
+ break;
+ }
+ }
+ }
default:
{
this->logger->log(this->logger, ERROR | MORE, "Payload type not supported!");
generated by cgit v1.2.3 (git 2.25.1) at 2025-07-22 12:43:36 +0000