3cddc00733394bb0459aba93f4a39be21c562e81
[strongswan.git] / src / charon / sa / tasks / ike_cert.c
1 /**
2 * @file ike_cert.c
3 *
4 * @brief Implementation of the ike_cert task.
5 *
6 */
7
8 /*
9 * Copyright (C) 2006-2007 Martin Willi
10 * Hochschule fuer Technik Rapperswil
11 *
12 * This program is free software; you can redistribute it and/or modify it
13 * under the terms of the GNU General Public License as published by the
14 * Free Software Foundation; either version 2 of the License, or (at your
15 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
16 *
17 * This program is distributed in the hope that it will be useful, but
18 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
19 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
20 * for more details.
21 */
22
23 #include "ike_cert.h"
24
25 #include <daemon.h>
26 #include <sa/ike_sa.h>
27 #include <crypto/hashers/hasher.h>
28 #include <encoding/payloads/cert_payload.h>
29 #include <encoding/payloads/certreq_payload.h>
30
31
32 typedef struct private_ike_cert_t private_ike_cert_t;
33
34 /**
35 * Private members of a ike_cert_t task.
36 */
37 struct private_ike_cert_t {
38
39 /**
40 * Public methods and task_t interface.
41 */
42 ike_cert_t public;
43
44 /**
45 * Assigned IKE_SA.
46 */
47 ike_sa_t *ike_sa;
48
49 /**
50 * Are we the initiator?
51 */
52 bool initiator;
53
54 /**
55 * list of CA cert hashes requested, items point to 20 byte chunk
56 */
57 linked_list_t *cas;
58 };
59
60 /**
61 * read certificate requests
62 */
63 static void process_certreqs(private_ike_cert_t *this, message_t *message)
64 {
65 iterator_t *iterator;
66 payload_t *payload;
67
68 iterator = message->get_payload_iterator(message);
69 while (iterator->iterate(iterator, (void**)&payload))
70 {
71 if (payload->get_type(payload) == CERTIFICATE_REQUEST)
72 {
73 certreq_payload_t *certreq = (certreq_payload_t*)payload;
74 cert_encoding_t encoding;
75 chunk_t keyids, keyid;
76
77 encoding = certreq->get_cert_encoding(certreq);
78 if (encoding != CERT_X509_SIGNATURE)
79 {
80 DBG1(DBG_IKE, "certreq payload %N not supported, ignored",
81 cert_encoding_names, encoding);
82 continue;
83 }
84
85 keyids = certreq->get_data(certreq);
86
87 while (keyids.len >= HASH_SIZE_SHA1)
88 {
89 keyid = chunk_create(keyids.ptr, HASH_SIZE_SHA1);
90 keyid = chunk_clone(keyid);
91 this->cas->insert_last(this->cas, keyid.ptr);
92 keyids = chunk_skip(keyids, HASH_SIZE_SHA1);
93 }
94 }
95 }
96 iterator->destroy(iterator);
97 }
98
99 /**
100 * import certificates
101 */
102 static void process_certs(private_ike_cert_t *this, message_t *message)
103 {
104 iterator_t *iterator;
105 payload_t *payload;
106
107 iterator = message->get_payload_iterator(message);
108 while (iterator->iterate(iterator, (void**)&payload))
109 {
110 if (payload->get_type(payload) == CERTIFICATE)
111 {
112 cert_encoding_t encoding;
113 x509_t *cert;
114 chunk_t cert_data;
115 bool found;
116 cert_payload_t *cert_payload = (cert_payload_t*)payload;
117
118 encoding = cert_payload->get_cert_encoding(cert_payload);
119 if (encoding != CERT_X509_SIGNATURE)
120 {
121 DBG1(DBG_IKE, "certificate payload %N not supported, ignored",
122 cert_encoding_names, encoding);
123 continue;
124 }
125
126 cert_data = cert_payload->get_data_clone(cert_payload);
127 cert = x509_create_from_chunk(cert_data);
128 if (cert)
129 {
130 if (charon->credentials->verify(charon->credentials,
131 cert, &found))
132 {
133 DBG2(DBG_IKE, "received end entity certificate is trusted, "
134 "added to store");
135 if (!found)
136 {
137 charon->credentials->add_end_certificate(
138 charon->credentials, cert);
139 }
140 else
141 {
142 cert->destroy(cert);
143 }
144 }
145 else
146 {
147 DBG1(DBG_IKE, "received end entity certificate is not "
148 "trusted, discarded");
149 cert->destroy(cert);
150 }
151 }
152 else
153 {
154 DBG1(DBG_IKE, "parsing of received certificate failed, discarded");
155 chunk_free(&cert_data);
156 }
157 }
158 }
159 iterator->destroy(iterator);
160 }
161
162 /**
163 * build certificate requests
164 */
165 static void build_certreqs(private_ike_cert_t *this, message_t *message)
166 {
167 connection_t *connection;
168 policy_t *policy;
169 identification_t *ca;
170 certreq_payload_t *certreq;
171
172 connection = this->ike_sa->get_connection(this->ike_sa);
173
174 if (connection->get_certreq_policy(connection) != CERT_NEVER_SEND)
175 {
176 policy = this->ike_sa->get_policy(this->ike_sa);
177
178 if (policy)
179 {
180 ca = policy->get_other_ca(policy);
181
182 if (ca && ca->get_type(ca) != ID_ANY)
183 {
184 certreq = certreq_payload_create_from_cacert(ca);
185 }
186 else
187 {
188 certreq = certreq_payload_create_from_cacerts();
189 }
190 }
191 else
192 {
193 certreq = certreq_payload_create_from_cacerts();
194 }
195
196 if (certreq)
197 {
198 message->add_payload(message, (payload_t*)certreq);
199 }
200 }
201 }
202
203 /**
204 * add certificates to message
205 */
206 static void build_certs(private_ike_cert_t *this, message_t *message)
207 {
208 policy_t *policy;
209 connection_t *connection;
210 x509_t *cert;
211 cert_payload_t *payload;
212
213 policy = this->ike_sa->get_policy(this->ike_sa);
214 connection = this->ike_sa->get_connection(this->ike_sa);
215
216 if (policy && policy->get_auth_method(policy) == AUTH_RSA)
217 {
218 switch (connection->get_cert_policy(connection))
219 {
220 case CERT_NEVER_SEND:
221 break;
222 case CERT_SEND_IF_ASKED:
223 if (this->cas->get_count(this->cas) == 0)
224 {
225 break;
226 }
227 /* FALL */
228 case CERT_ALWAYS_SEND:
229 {
230 /* TODO: respect CA cert request */
231 cert = charon->credentials->get_certificate(charon->credentials,
232 policy->get_my_id(policy));
233 if (cert)
234 {
235 payload = cert_payload_create_from_x509(cert);
236 message->add_payload(message, (payload_t*)payload);
237 }
238 }
239 }
240 }
241 }
242
243 /**
244 * Implementation of task_t.process for initiator
245 */
246 static status_t build_i(private_ike_cert_t *this, message_t *message)
247 {
248 if (message->get_exchange_type(message) == IKE_SA_INIT)
249 {
250 return NEED_MORE;
251 }
252
253 build_certreqs(this, message);
254 build_certs(this, message);
255
256 return NEED_MORE;
257 }
258
259 /**
260 * Implementation of task_t.process for responder
261 */
262 static status_t process_r(private_ike_cert_t *this, message_t *message)
263 {
264 if (message->get_exchange_type(message) == IKE_SA_INIT)
265 {
266 return NEED_MORE;
267 }
268
269 process_certreqs(this, message);
270 process_certs(this, message);
271
272 return NEED_MORE;
273 }
274
275 /**
276 * Implementation of task_t.build for responder
277 */
278 static status_t build_r(private_ike_cert_t *this, message_t *message)
279 {
280 if (message->get_exchange_type(message) == IKE_SA_INIT)
281 {
282 build_certreqs(this, message);
283 return NEED_MORE;
284 }
285
286 build_certs(this, message);
287
288 return SUCCESS;
289 }
290
291 /**
292 * Implementation of task_t.process for initiator
293 */
294 static status_t process_i(private_ike_cert_t *this, message_t *message)
295 {
296 if (message->get_exchange_type(message) == IKE_SA_INIT)
297 {
298 process_certreqs(this, message);
299 return NEED_MORE;
300 }
301
302 process_certs(this, message);
303 return SUCCESS;
304 }
305
306 /**
307 * Implementation of task_t.get_type
308 */
309 static task_type_t get_type(private_ike_cert_t *this)
310 {
311 return IKE_CERT;
312 }
313
314 /**
315 * Implementation of task_t.migrate
316 */
317 static void migrate(private_ike_cert_t *this, ike_sa_t *ike_sa)
318 {
319 this->ike_sa = ike_sa;
320
321 this->cas->destroy_function(this->cas, free);
322 this->cas = linked_list_create();
323 }
324
325 /**
326 * Implementation of task_t.destroy
327 */
328 static void destroy(private_ike_cert_t *this)
329 {
330 this->cas->destroy_function(this->cas, free);
331 free(this);
332 }
333
334 /*
335 * Described in header.
336 */
337 ike_cert_t *ike_cert_create(ike_sa_t *ike_sa, bool initiator)
338 {
339 private_ike_cert_t *this = malloc_thing(private_ike_cert_t);
340
341 this->public.task.get_type = (task_type_t(*)(task_t*))get_type;
342 this->public.task.migrate = (void(*)(task_t*,ike_sa_t*))migrate;
343 this->public.task.destroy = (void(*)(task_t*))destroy;
344
345 if (initiator)
346 {
347 this->public.task.build = (status_t(*)(task_t*,message_t*))build_i;
348 this->public.task.process = (status_t(*)(task_t*,message_t*))process_i;
349 }
350 else
351 {
352 this->public.task.build = (status_t(*)(task_t*,message_t*))build_r;
353 this->public.task.process = (status_t(*)(task_t*,message_t*))process_r;
354 }
355
356 this->ike_sa = ike_sa;
357 this->initiator = initiator;
358 this->cas = linked_list_create();
359
360 return &this->public;
361 }