a88016e8e7eefc26fe441fbb47e92c607ead8d33
[strongswan.git] / src / charon / sa / tasks / ike_cert.c
1 /**
2 * @file ike_cert.c
3 *
4 * @brief Implementation of the ike_cert task.
5 *
6 */
7
8 /*
9 * Copyright (C) 2006-2007 Martin Willi
10 * Hochschule fuer Technik Rapperswil
11 *
12 * This program is free software; you can redistribute it and/or modify it
13 * under the terms of the GNU General Public License as published by the
14 * Free Software Foundation; either version 2 of the License, or (at your
15 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
16 *
17 * This program is distributed in the hope that it will be useful, but
18 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
19 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
20 * for more details.
21 */
22
23 #include "ike_cert.h"
24
25 #include <daemon.h>
26 #include <sa/ike_sa.h>
27 #include <crypto/hashers/hasher.h>
28 #include <encoding/payloads/cert_payload.h>
29 #include <encoding/payloads/certreq_payload.h>
30
31
32 typedef struct private_ike_cert_t private_ike_cert_t;
33
34 /**
35 * Private members of a ike_cert_t task.
36 */
37 struct private_ike_cert_t {
38
39 /**
40 * Public methods and task_t interface.
41 */
42 ike_cert_t public;
43
44 /**
45 * Assigned IKE_SA.
46 */
47 ike_sa_t *ike_sa;
48
49 /**
50 * Are we the initiator?
51 */
52 bool initiator;
53
54 /**
55 * list of CA cert hashes requested, items point to 20 byte chunk
56 */
57 linked_list_t *cas;
58
59 /**
60 * have we seen a certificate request?
61 */
62 bool certreq_seen;
63 };
64
65 /**
66 * read certificate requests
67 */
68 static void process_certreqs(private_ike_cert_t *this, message_t *message)
69 {
70 iterator_t *iterator;
71 payload_t *payload;
72
73 iterator = message->get_payload_iterator(message);
74 while (iterator->iterate(iterator, (void**)&payload))
75 {
76 if (payload->get_type(payload) == CERTIFICATE_REQUEST)
77 {
78 certreq_payload_t *certreq = (certreq_payload_t*)payload;
79 cert_encoding_t encoding;
80 chunk_t keyids, keyid;
81
82 this->certreq_seen = TRUE;
83
84 encoding = certreq->get_cert_encoding(certreq);
85 if (encoding != CERT_X509_SIGNATURE)
86 {
87 DBG1(DBG_IKE, "certreq payload %N not supported, ignored",
88 cert_encoding_names, encoding);
89 continue;
90 }
91
92 keyids = certreq->get_data(certreq);
93
94 while (keyids.len >= HASH_SIZE_SHA1)
95 {
96 keyid = chunk_create(keyids.ptr, HASH_SIZE_SHA1);
97 keyid = chunk_clone(keyid);
98 this->cas->insert_last(this->cas, keyid.ptr);
99 keyids = chunk_skip(keyids, HASH_SIZE_SHA1);
100 }
101 }
102 }
103 iterator->destroy(iterator);
104 }
105
106 /**
107 * import certificates
108 */
109 static void process_certs(private_ike_cert_t *this, message_t *message)
110 {
111 iterator_t *iterator;
112 payload_t *payload;
113
114 iterator = message->get_payload_iterator(message);
115 while (iterator->iterate(iterator, (void**)&payload))
116 {
117 if (payload->get_type(payload) == CERTIFICATE)
118 {
119 cert_encoding_t encoding;
120 x509_t *cert;
121 chunk_t cert_data;
122 bool found;
123 cert_payload_t *cert_payload = (cert_payload_t*)payload;
124
125 encoding = cert_payload->get_cert_encoding(cert_payload);
126 if (encoding != CERT_X509_SIGNATURE)
127 {
128 DBG1(DBG_IKE, "certificate payload %N not supported, ignored",
129 cert_encoding_names, encoding);
130 continue;
131 }
132
133 cert_data = cert_payload->get_data_clone(cert_payload);
134 cert = x509_create_from_chunk(cert_data, 0);
135 if (cert)
136 {
137 if (charon->credentials->verify(charon->credentials, cert, &found))
138 {
139 DBG2(DBG_IKE, "received end entity certificate is trusted, "
140 "added to store");
141 if (found)
142 {
143 cert->destroy(cert);
144 }
145 else
146 {
147 charon->credentials->add_end_certificate(charon->credentials, cert);
148 }
149 }
150 else
151 {
152 DBG1(DBG_IKE, "received end entity certificate is not trusted,"
153 "discarded");
154 cert->destroy(cert);
155 }
156 }
157 else
158 {
159 DBG1(DBG_IKE, "parsing of received certificate failed, discarded");
160 chunk_free(&cert_data);
161 }
162 }
163 }
164 iterator->destroy(iterator);
165 }
166
167 /**
168 * build certificate requests
169 */
170 static void build_certreqs(private_ike_cert_t *this, message_t *message)
171 {
172 ike_cfg_t *ike_cfg;
173 peer_cfg_t *peer_cfg;
174 identification_t *ca;
175 certreq_payload_t *certreq;
176
177 ike_cfg = this->ike_sa->get_ike_cfg(this->ike_sa);
178
179 if (ike_cfg->send_certreq(ike_cfg) != CERT_NEVER_SEND)
180 {
181 peer_cfg = this->ike_sa->get_peer_cfg(this->ike_sa);
182
183 if (peer_cfg)
184 {
185 ca = peer_cfg->get_other_ca(peer_cfg);
186
187 if (ca && ca->get_type(ca) != ID_ANY)
188 {
189 certreq = certreq_payload_create_from_cacert(ca);
190 }
191 else
192 {
193 certreq = certreq_payload_create_from_cacerts();
194 }
195 }
196 else
197 {
198 certreq = certreq_payload_create_from_cacerts();
199 }
200
201 if (certreq)
202 {
203 message->add_payload(message, (payload_t*)certreq);
204 }
205 }
206 }
207
208 /**
209 * add certificates to message
210 */
211 static void build_certs(private_ike_cert_t *this, message_t *message)
212 {
213 peer_cfg_t *peer_cfg;
214 x509_t *cert;
215 cert_payload_t *payload;
216
217 peer_cfg = this->ike_sa->get_peer_cfg(this->ike_sa);
218
219 if (peer_cfg && peer_cfg->get_auth_method(peer_cfg) == AUTH_RSA)
220 {
221 switch (peer_cfg->get_cert_policy(peer_cfg))
222 {
223 case CERT_NEVER_SEND:
224 break;
225 case CERT_SEND_IF_ASKED:
226 if (!this->certreq_seen)
227 {
228 break;
229 }
230 /* FALL */
231 case CERT_ALWAYS_SEND:
232 {
233 /* TODO: respect CA cert request */
234 cert = charon->credentials->get_certificate(charon->credentials,
235 peer_cfg->get_my_id(peer_cfg));
236 if (cert)
237 {
238 payload = cert_payload_create_from_x509(cert);
239 message->add_payload(message, (payload_t*)payload);
240 }
241 }
242 }
243 }
244 }
245
246 /**
247 * Implementation of task_t.process for initiator
248 */
249 static status_t build_i(private_ike_cert_t *this, message_t *message)
250 {
251 if (message->get_exchange_type(message) == IKE_SA_INIT)
252 {
253 return NEED_MORE;
254 }
255
256 build_certreqs(this, message);
257 build_certs(this, message);
258
259 return NEED_MORE;
260 }
261
262 /**
263 * Implementation of task_t.process for responder
264 */
265 static status_t process_r(private_ike_cert_t *this, message_t *message)
266 {
267 if (message->get_exchange_type(message) == IKE_SA_INIT)
268 {
269 return NEED_MORE;
270 }
271
272 process_certreqs(this, message);
273 process_certs(this, message);
274
275 return NEED_MORE;
276 }
277
278 /**
279 * Implementation of task_t.build for responder
280 */
281 static status_t build_r(private_ike_cert_t *this, message_t *message)
282 {
283 if (message->get_exchange_type(message) == IKE_SA_INIT)
284 {
285 build_certreqs(this, message);
286 return NEED_MORE;
287 }
288
289 build_certs(this, message);
290
291 return SUCCESS;
292 }
293
294 /**
295 * Implementation of task_t.process for initiator
296 */
297 static status_t process_i(private_ike_cert_t *this, message_t *message)
298 {
299 if (message->get_exchange_type(message) == IKE_SA_INIT)
300 {
301 process_certreqs(this, message);
302 return NEED_MORE;
303 }
304
305 process_certs(this, message);
306 return SUCCESS;
307 }
308
309 /**
310 * Implementation of task_t.get_type
311 */
312 static task_type_t get_type(private_ike_cert_t *this)
313 {
314 return IKE_CERT;
315 }
316
317 /**
318 * Implementation of task_t.migrate
319 */
320 static void migrate(private_ike_cert_t *this, ike_sa_t *ike_sa)
321 {
322 this->ike_sa = ike_sa;
323
324 this->cas->destroy_function(this->cas, free);
325 this->cas = linked_list_create();
326 this->certreq_seen = FALSE;
327 }
328
329 /**
330 * Implementation of task_t.destroy
331 */
332 static void destroy(private_ike_cert_t *this)
333 {
334 this->cas->destroy_function(this->cas, free);
335 free(this);
336 }
337
338 /*
339 * Described in header.
340 */
341 ike_cert_t *ike_cert_create(ike_sa_t *ike_sa, bool initiator)
342 {
343 private_ike_cert_t *this = malloc_thing(private_ike_cert_t);
344
345 this->public.task.get_type = (task_type_t(*)(task_t*))get_type;
346 this->public.task.migrate = (void(*)(task_t*,ike_sa_t*))migrate;
347 this->public.task.destroy = (void(*)(task_t*))destroy;
348
349 if (initiator)
350 {
351 this->public.task.build = (status_t(*)(task_t*,message_t*))build_i;
352 this->public.task.process = (status_t(*)(task_t*,message_t*))process_i;
353 }
354 else
355 {
356 this->public.task.build = (status_t(*)(task_t*,message_t*))build_r;
357 this->public.task.process = (status_t(*)(task_t*,message_t*))process_r;
358 }
359
360 this->ike_sa = ike_sa;
361 this->initiator = initiator;
362 this->cas = linked_list_create();
363 this->certreq_seen = FALSE;
364
365 return &this->public;
366 }